Introduction
A type confusion bug in one of the most fundamental kernel drivers in the Windows networking stack now gives any locally authenticated user a clean path to SYSTEM privileges. CVE-2026-34344 targets afd.sys, the Ancillary Function Driver for WinSock, which underpins virtually every socket operation on a Windows host, and it does so with low attack complexity and zero user interaction required.
With Windows holding roughly 72.3 percent of the desktop operating system market as of late 2025, and afd.sys present on every supported Windows installation, the blast radius of this vulnerability is substantial even though exploitation requires local access. Microsoft addressed the flaw in the May 2026 Patch Tuesday release alongside 119 other fixes.
Technical Information
Root Cause: CWE-843 Type Confusion in afd.sys
The core issue is a type confusion vulnerability (CWE-843) within the Windows Ancillary Function Driver for WinSock. In practical terms, an internal data structure within the kernel driver was being cast or interpreted as the wrong type. When a low privileged user can trigger this code path, the driver operates on a resource as though it were a different type than it actually is, leading to kernel memory corruption.
Because afd.sys runs in kernel mode (Ring 0), corrupting memory through this confusion path does not merely crash the process; it provides a primitive that an attacker can leverage to overwrite kernel structures and escalate privileges to SYSTEM.
CVSS 3.1 Breakdown
Microsoft assigned a CVSS 3.1 base score of 7.8 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The individual metrics tell a clear story about the exploitation profile:
- Attack Vector (Local): The attacker must already have local access to the target system. Remote exploitation is not possible through this vulnerability alone.
- Attack Complexity (Low): No race conditions, specialized configurations, or other prerequisites beyond the attacker's control are needed.
- Privileges Required (Low): A standard, unprivileged user account is sufficient. No administrative or elevated privileges are needed to trigger the bug.
- User Interaction (None): The exploit can run autonomously without requiring another user to click, open, or interact with anything.
- Scope (Unchanged): The vulnerability's impact remains within the security authority of the vulnerable component, though in this case that component is the kernel itself.
- Confidentiality, Integrity, Availability (all High): Successful exploitation yields SYSTEM privileges, granting the attacker the ability to read all data, modify any file or configuration, and fully disrupt system availability.
Attack Flow
Based on the available information, exploitation would follow this general sequence:
- An attacker obtains local access to a Windows system with a standard (low privilege) user account. This could be through legitimate credentials, a compromised user session, or a prior initial access vector.
- The attacker invokes a crafted operation targeting
afd.systhat triggers the type confusion condition. Because the driver handles socket operations, this likely involves issuing specific I/O control requests (IOCTLs) or socket API calls that cause the driver to misinterpret an internal data structure. - The type confusion corrupts kernel memory in a controlled manner, allowing the attacker to overwrite critical kernel structures (such as token objects or process structures).
- The attacker leverages the corrupted state to elevate their process token to SYSTEM, achieving full administrative control over the host.
The low complexity rating suggests the confusion path is relatively straightforward to trigger once the correct input is identified.
Discovery
The vulnerability was discovered and reported by security researchers Puponia and Angelboy, both associated with DEVCORE. DEVCORE has a well established track record of identifying high impact vulnerabilities in widely deployed software, which raises the probability that detailed technical writeups or proof of concept code may surface in the coming weeks or months.
Patch Information
Microsoft released the official fix for CVE-2026-34344 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. Because afd.sys is a closed source Windows kernel driver, Microsoft has not published a source level diff; the fix is delivered exclusively through cumulative updates on Windows Update and the Microsoft Update Catalog.
The patch corrects the type handling logic so that the driver properly validates the type of the resource before operating on it, eliminating the confusion path. Microsoft's CVSS temporal vector includes RL:O (Official Fix), confirming the remediation is complete.
The update spans a broad matrix of affected products. Every supported Windows desktop and server edition received a corresponding KB article:
| Product Family | KB Article | Patched Build |
|---|---|---|
| Windows 11 26H1 (x64/ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 25H2 / 24H2 (x64/ARM64) | KB5089549 (+ KB5089466 hotpatch) | 10.0.26100.8457 / 10.0.26200.8457 |
| Windows 11 23H2 (x64/ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 22H2 / 21H2 (all architectures) | KB5087544 | 10.0.19045.7291 / 10.0.19044.7291 |
| Windows 10 1809 / Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows 10 1607 / Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 | KB5087539 (+ KB5087423 hotpatch) | 10.0.26100.32860 |
| Windows Server 2022 | KB5087545 (+ KB5087424 hotpatch) | 10.0.20348.5139 |
| Windows Server 2022 23H2 | KB5087541 | 10.0.25398.2330 |
| Windows Server 2012 R2 | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 | KB5087470 | 6.2.9200.26079 |
A noteworthy detail: for newer server and desktop editions (Server 2025, Server 2022, Windows 11 24H2/25H2), Microsoft offered both a standard cumulative security update and a separate Security Hotpatch update (e.g., KB5087423, KB5087424, KB5089466). Hotpatching applies in memory patches to a running kernel without requiring a reboot, which is particularly valuable for production servers where downtime must be minimized.
To apply the fix, administrators should install the applicable cumulative update through Windows Update, WSUS, or by downloading the package directly from the Microsoft Update Catalog. Because the vulnerable driver operates at kernel level and the exploit yields SYSTEM privileges with low attack complexity and no user interaction, prompt patching is strongly recommended. Prioritize systems that allow standard user access or host multiple users, as these present the highest risk for local privilege escalation.
Microsoft has not published any workarounds or alternative mitigations for this vulnerability, making the cumulative update the only remediation path.
Affected Systems and Versions
Based on the patch matrix published by Microsoft, the following Windows versions are confirmed affected:
Desktop Editions:
- Windows 11 version 26H1 (x64 and ARM64)
- Windows 11 versions 25H2 and 24H2 (x64 and ARM64)
- Windows 11 version 23H2 (x64 and ARM64)
- Windows 10 version 22H2 (all architectures)
- Windows 10 version 21H2 (all architectures)
- Windows 10 version 1809
- Windows 10 version 1607
Server Editions:
- Windows Server 2025
- Windows Server 2022 (including 23H2)
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
The vulnerable component, afd.sys, is present on all of these editions. Any system running a build prior to the patched build numbers listed in the Patch Information section above should be considered vulnerable.
Vendor Security History
The May 2026 Patch Tuesday release in which this fix was included addressed a total of 120 security flaws, with no zero days disclosed during the cycle. Microsoft manages vulnerability disclosures and patches through the Microsoft Security Response Center (MSRC). The AFD driver has historically been a target for privilege escalation research; its position as a kernel mode component handling user accessible socket operations makes it a recurring area of interest for both researchers and attackers.
References
- Microsoft Security Update Guide: CVE-2026-34344
- NVD Entry: CVE-2026-34344
- Tenable: CVE-2026-34344
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Lansweeper: Microsoft Patch Tuesday May 2026
- KB5087544: Windows 10 22H2/21H2
- KB5089549: Windows 11 25H2/24H2
- KB5089548: Windows 11 26H1
- KB5087538: Windows Server 2019
- KB5087539: Windows Server 2025
- MSRC Vulnerability Coordination Process
- Operating System Market Share (September 2025)



