Introduction
A race condition in one of the most fundamental kernel drivers on every Windows system just became a viable path to SYSTEM privileges. CVE-2026-35416 targets the Windows Ancillary Function Driver for WinSock (afd.sys), a component that sits at the heart of every networking operation on Windows, and a successful exploit grants full local privilege escalation from a low privileged account.
Released as part of Microsoft's May 2026 Patch Tuesday, this vulnerability carries a CVSS 3.1 base score of 7.0 and an "Exploitation More Likely" assessment from Microsoft. The combination of a kernel level use after free, broad platform exposure across 31 distinct Windows configurations, and a well understood vulnerability class makes this one worth prioritizing in your next patch cycle.
Technical Information
Root Cause: Use After Free in afd.sys
The vulnerability is classified under CWE-416 (Use After Free). The affected component is afd.sys, the Windows Ancillary Function Driver for WinSock. This is a kernel mode driver responsible for managing WinSock operations, serving as the bridge between user mode socket calls and the underlying transport layer. Every Windows system with networking enabled loads this driver.
The underlying flaw is a condition where memory is referenced after it has been deallocated. Specifically, the use after free arises during concurrent operations within the driver, creating a race window. The CVSS vector reflects this with an Attack Complexity of High (AC:H), indicating that exploitation is not trivial and requires the attacker to win a timing dependent race condition.
Because afd.sys is a closed source Windows kernel component, Microsoft does not publish source level diffs. The fix is delivered as a binary update to the driver through cumulative and hotpatch updates. According to the MSRC advisory, the patch corrects the object lifetime management within the WinSock ancillary function driver, ensuring that freed memory is no longer accessible during concurrent operations, effectively closing the race window.
CVSS Vector Breakdown
The full CVSS 3.1 vector provides important context for risk assessment:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Local (AV:L) | Attacker needs local access (keyboard, console, or SSH) |
| Attack Complexity | High (AC:H) | Race condition must be won |
| Privileges Required | Low (PR:L) | Any authenticated user account suffices |
| User Interaction | None (UI:N) | No victim action needed |
| Confidentiality Impact | High | Full read access post exploitation |
| Integrity Impact | High | Full write access post exploitation |
| Availability Impact | High | Can crash or control the system |
Attack Flow
Based on the available technical details, the exploitation path follows this general sequence:
-
Initial Access: The attacker obtains a low privileged local session on the target Windows system. This could be via an interactive logon, SSH, or any other mechanism that provides read, write, and execute capabilities on the host.
-
Triggering the Race Condition: The attacker issues carefully timed WinSock operations through the
afd.sysdriver interface. The goal is to create a scenario where a memory object is freed by one thread while another thread still holds a reference to it. -
Exploiting the Dangling Reference: Once the race is won, the attacker manipulates the freed memory region, potentially replacing it with attacker controlled data. In a kernel context, this type of corruption can be leveraged to hijack execution flow or overwrite security tokens.
-
Privilege Escalation: Successful exploitation results in code execution at SYSTEM level, giving the attacker complete control over the host. The high impact ratings across confidentiality, integrity, and availability confirm this outcome.
The attack does not require any user interaction, making it suitable for post compromise automation once an attacker has an initial foothold.
Researcher Credit
The vulnerability was responsibly disclosed by Angelboy (@scwuaptx) of DEVCORE.
Patch Information
Microsoft released an official fix for CVE-2026-35416 on May 12, 2026, as part of its regular Patch Tuesday cycle. The MSRC advisory confirms the remediation level as Official Fix, with exploit code maturity classified as Unproven at the time of publication.
The patch addresses the use after free by correcting the object lifetime management within the WinSock ancillary function driver, ensuring that freed memory is no longer accessible during concurrent operations.
The scope of affected products is broad, spanning client and server editions of Windows. Below are the key KB articles organized by product family:
| Product | KB Article(s) | Build Number |
|---|---|---|
| Windows 11 26H1 (x64/ARM64) | KB5089548 | 10.0.28000.2113 |
| Windows 11 25H2 (x64/ARM64) | KB5089549, KB5089466 (Hotpatch) | 10.0.26200.8457 / 10.0.26200.8390 |
| Windows 11 24H2 (x64/ARM64) | KB5089549, KB5089466 (Hotpatch) | 10.0.26100.8457 / 10.0.26100.8390 |
| Windows 11 23H2 (x64/ARM64) | KB5087420 | 10.0.22631.7079 |
| Windows 10 22H2 / 21H2 | KB5087544 | 10.0.19045.7291 / 10.0.19044.7291 |
| Windows 10 1809 | KB5087538 | 10.0.17763.8755 |
| Windows 10 1607 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2025 | KB5087539, KB5087423 (Hotpatch) | 10.0.26100.32860 / 10.0.26100.32772 |
| Windows Server 2022 (23H2) | KB5087541 | 10.0.25398.2330 |
| Windows Server 2022 | KB5087545, KB5087424 (Hotpatch) | 10.0.20348.5139 / 10.0.20348.5074 |
| Windows Server 2019 | KB5087538 | 10.0.17763.8755 |
| Windows Server 2016 | KB5087537 | 10.0.14393.9140 |
| Windows Server 2012 R2 | KB5087471 | 6.3.9600.23181 |
| Windows Server 2012 | KB5087470 | 6.2.9200.26079 |
For environments running Windows Server 2025 Datacenter Azure Edition and Windows 11 Enterprise with Hotpatch enabled, the fix is also available via hotpatch delivery (e.g., KB5087423, KB5089466), allowing the security update to be applied without requiring a reboot. This is a significant operational advantage for production server environments where downtime windows are constrained.
Standard cumulative updates are available through Windows Update, WSUS, and the Microsoft Update Catalog for all other deployments. No official workarounds are documented by Microsoft; patching is the only supported remediation.
Compensating Controls
While patching remains the definitive fix, network intrusion detection vendors have released coverage that may provide interim visibility:
- Snort published subscriber rules on May 12, 2026, referencing this coding deficiency.
- Check Point released protection advisory CPAI-2026-4385 for their Security Gateway products.
Affected Systems and Versions
The vulnerability affects a wide range of Windows client and server operating systems. The following is the complete list of affected configurations:
Windows Client:
- Windows 11 Version 26H1 (ARM64, x64)
- Windows 11 Version 25H2 (ARM64, x64)
- Windows 11 Version 24H2 (ARM64, x64)
- Windows 11 Version 23H2 (ARM64, x64)
- Windows 10 Version 22H2 (32 bit, ARM64, x64)
- Windows 10 Version 21H2 (32 bit, ARM64, x64)
- Windows 10 Version 1809 (32 bit, x64)
- Windows 10 Version 1607 (32 bit, x64)
Windows Server:
- Windows Server 2025 (Server Core installation and Desktop Experience)
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows Server 2022 (Server Core installation and Desktop Experience)
- Windows Server 2019 (Server Core installation and Desktop Experience)
- Windows Server 2016 (Server Core installation and Desktop Experience)
- Windows Server 2012 R2 (Server Core installation and Desktop Experience)
- Windows Server 2012 (Server Core installation and Desktop Experience)
In total, Microsoft lists 31 distinct affected configurations. The vulnerability's maximum severity is rated as Important across all affected products.
Vendor Security History
The afd.sys driver has been a recurring target for privilege escalation research. The May 2026 Patch Tuesday also addressed CVE-2026-34345, another elevation of privilege vulnerability in the same afd.sys WinSock driver, underscoring that this component continues to attract researcher attention. The broader May 2026 Patch Tuesday release addressed 120 vulnerabilities in total, with no zero days exploited in the wild during this cycle.
References
- NVD Entry for CVE-2026-35416
- MSRC Security Update Guide: CVE-2026-35416
- Microsoft Support: KB5087539
- Microsoft Support: KB5087423
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Snort Subscriber Rules Update 2026-05-12
- Check Point Advisory CPAI-2026-4385
- VulDB Entry for CVE-2026-35416
- Windows Forum: CVE-2026-34345 AFD.sys WinSock EoP Fix
- Desktop Operating System Market Share Worldwide (StatCounter)



