ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34344 — Windows AFD Type Confusion Enables Local Privilege Escalation to SYSTEM

A short review of CVE-2026-34344, a type confusion vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys) that allows a low privileged local attacker to escalate to SYSTEM. Patch information and affected versions are included.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-34344 — Windows AFD Type Confusion Enables Local Privilege Escalation to SYSTEM
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A type confusion bug in one of the most fundamental kernel drivers in the Windows networking stack now gives any locally authenticated user a clean path to SYSTEM privileges. CVE-2026-34344 targets afd.sys, the Ancillary Function Driver for WinSock, which underpins virtually every socket operation on a Windows host, and it does so with low attack complexity and zero user interaction required.

With Windows holding roughly 72.3 percent of the desktop operating system market as of late 2025, and afd.sys present on every supported Windows installation, the blast radius of this vulnerability is substantial even though exploitation requires local access. Microsoft addressed the flaw in the May 2026 Patch Tuesday release alongside 119 other fixes.

Technical Information

Root Cause: CWE-843 Type Confusion in afd.sys

The core issue is a type confusion vulnerability (CWE-843) within the Windows Ancillary Function Driver for WinSock. In practical terms, an internal data structure within the kernel driver was being cast or interpreted as the wrong type. When a low privileged user can trigger this code path, the driver operates on a resource as though it were a different type than it actually is, leading to kernel memory corruption.

Because afd.sys runs in kernel mode (Ring 0), corrupting memory through this confusion path does not merely crash the process; it provides a primitive that an attacker can leverage to overwrite kernel structures and escalate privileges to SYSTEM.

CVSS 3.1 Breakdown

Microsoft assigned a CVSS 3.1 base score of 7.8 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The individual metrics tell a clear story about the exploitation profile:

  • Attack Vector (Local): The attacker must already have local access to the target system. Remote exploitation is not possible through this vulnerability alone.
  • Attack Complexity (Low): No race conditions, specialized configurations, or other prerequisites beyond the attacker's control are needed.
  • Privileges Required (Low): A standard, unprivileged user account is sufficient. No administrative or elevated privileges are needed to trigger the bug.
  • User Interaction (None): The exploit can run autonomously without requiring another user to click, open, or interact with anything.
  • Scope (Unchanged): The vulnerability's impact remains within the security authority of the vulnerable component, though in this case that component is the kernel itself.
  • Confidentiality, Integrity, Availability (all High): Successful exploitation yields SYSTEM privileges, granting the attacker the ability to read all data, modify any file or configuration, and fully disrupt system availability.

Attack Flow

Based on the available information, exploitation would follow this general sequence:

  1. An attacker obtains local access to a Windows system with a standard (low privilege) user account. This could be through legitimate credentials, a compromised user session, or a prior initial access vector.
  2. The attacker invokes a crafted operation targeting afd.sys that triggers the type confusion condition. Because the driver handles socket operations, this likely involves issuing specific I/O control requests (IOCTLs) or socket API calls that cause the driver to misinterpret an internal data structure.
  3. The type confusion corrupts kernel memory in a controlled manner, allowing the attacker to overwrite critical kernel structures (such as token objects or process structures).
  4. The attacker leverages the corrupted state to elevate their process token to SYSTEM, achieving full administrative control over the host.

The low complexity rating suggests the confusion path is relatively straightforward to trigger once the correct input is identified.

Discovery

The vulnerability was discovered and reported by security researchers Puponia and Angelboy, both associated with DEVCORE. DEVCORE has a well established track record of identifying high impact vulnerabilities in widely deployed software, which raises the probability that detailed technical writeups or proof of concept code may surface in the coming weeks or months.

Patch Information

Microsoft released the official fix for CVE-2026-34344 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. Because afd.sys is a closed source Windows kernel driver, Microsoft has not published a source level diff; the fix is delivered exclusively through cumulative updates on Windows Update and the Microsoft Update Catalog.

The patch corrects the type handling logic so that the driver properly validates the type of the resource before operating on it, eliminating the confusion path. Microsoft's CVSS temporal vector includes RL:O (Official Fix), confirming the remediation is complete.

The update spans a broad matrix of affected products. Every supported Windows desktop and server edition received a corresponding KB article:

Product FamilyKB ArticlePatched Build
Windows 11 26H1 (x64/ARM64)KB508954810.0.28000.2113
Windows 11 25H2 / 24H2 (x64/ARM64)KB5089549 (+ KB5089466 hotpatch)10.0.26100.8457 / 10.0.26200.8457
Windows 11 23H2 (x64/ARM64)KB508742010.0.22631.7079
Windows 10 22H2 / 21H2 (all architectures)KB508754410.0.19045.7291 / 10.0.19044.7291
Windows 10 1809 / Server 2019KB508753810.0.17763.8755
Windows 10 1607 / Server 2016KB508753710.0.14393.9140
Windows Server 2025KB5087539 (+ KB5087423 hotpatch)10.0.26100.32860
Windows Server 2022KB5087545 (+ KB5087424 hotpatch)10.0.20348.5139
Windows Server 2022 23H2KB508754110.0.25398.2330
Windows Server 2012 R2KB50874716.3.9600.23181
Windows Server 2012KB50874706.2.9200.26079

A noteworthy detail: for newer server and desktop editions (Server 2025, Server 2022, Windows 11 24H2/25H2), Microsoft offered both a standard cumulative security update and a separate Security Hotpatch update (e.g., KB5087423, KB5087424, KB5089466). Hotpatching applies in memory patches to a running kernel without requiring a reboot, which is particularly valuable for production servers where downtime must be minimized.

To apply the fix, administrators should install the applicable cumulative update through Windows Update, WSUS, or by downloading the package directly from the Microsoft Update Catalog. Because the vulnerable driver operates at kernel level and the exploit yields SYSTEM privileges with low attack complexity and no user interaction, prompt patching is strongly recommended. Prioritize systems that allow standard user access or host multiple users, as these present the highest risk for local privilege escalation.

Microsoft has not published any workarounds or alternative mitigations for this vulnerability, making the cumulative update the only remediation path.

Affected Systems and Versions

Based on the patch matrix published by Microsoft, the following Windows versions are confirmed affected:

Desktop Editions:

  • Windows 11 version 26H1 (x64 and ARM64)
  • Windows 11 versions 25H2 and 24H2 (x64 and ARM64)
  • Windows 11 version 23H2 (x64 and ARM64)
  • Windows 10 version 22H2 (all architectures)
  • Windows 10 version 21H2 (all architectures)
  • Windows 10 version 1809
  • Windows 10 version 1607

Server Editions:

  • Windows Server 2025
  • Windows Server 2022 (including 23H2)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

The vulnerable component, afd.sys, is present on all of these editions. Any system running a build prior to the patched build numbers listed in the Patch Information section above should be considered vulnerable.

Vendor Security History

The May 2026 Patch Tuesday release in which this fix was included addressed a total of 120 security flaws, with no zero days disclosed during the cycle. Microsoft manages vulnerability disclosures and patches through the Microsoft Security Response Center (MSRC). The AFD driver has historically been a target for privilege escalation research; its position as a kernel mode component handling user accessible socket operations makes it a recurring area of interest for both researchers and attackers.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization