ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-35416 — Use After Free in Windows WinSock Driver Enables Local Privilege Escalation

A brief summary of CVE-2026-35416, a use after free vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys) that allows local privilege escalation to SYSTEM. Includes patch details across 31 affected Windows configurations and threat intelligence context.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Quick Look: CVE-2026-35416 — Use After Free in Windows WinSock Driver Enables Local Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A race condition in one of the most fundamental kernel drivers on every Windows system just became a viable path to SYSTEM privileges. CVE-2026-35416 targets the Windows Ancillary Function Driver for WinSock (afd.sys), a component that sits at the heart of every networking operation on Windows, and a successful exploit grants full local privilege escalation from a low privileged account.

Released as part of Microsoft's May 2026 Patch Tuesday, this vulnerability carries a CVSS 3.1 base score of 7.0 and an "Exploitation More Likely" assessment from Microsoft. The combination of a kernel level use after free, broad platform exposure across 31 distinct Windows configurations, and a well understood vulnerability class makes this one worth prioritizing in your next patch cycle.

Technical Information

Root Cause: Use After Free in afd.sys

The vulnerability is classified under CWE-416 (Use After Free). The affected component is afd.sys, the Windows Ancillary Function Driver for WinSock. This is a kernel mode driver responsible for managing WinSock operations, serving as the bridge between user mode socket calls and the underlying transport layer. Every Windows system with networking enabled loads this driver.

The underlying flaw is a condition where memory is referenced after it has been deallocated. Specifically, the use after free arises during concurrent operations within the driver, creating a race window. The CVSS vector reflects this with an Attack Complexity of High (AC:H), indicating that exploitation is not trivial and requires the attacker to win a timing dependent race condition.

Because afd.sys is a closed source Windows kernel component, Microsoft does not publish source level diffs. The fix is delivered as a binary update to the driver through cumulative and hotpatch updates. According to the MSRC advisory, the patch corrects the object lifetime management within the WinSock ancillary function driver, ensuring that freed memory is no longer accessible during concurrent operations, effectively closing the race window.

CVSS Vector Breakdown

The full CVSS 3.1 vector provides important context for risk assessment:

MetricValueImplication
Attack VectorLocal (AV:L)Attacker needs local access (keyboard, console, or SSH)
Attack ComplexityHigh (AC:H)Race condition must be won
Privileges RequiredLow (PR:L)Any authenticated user account suffices
User InteractionNone (UI:N)No victim action needed
Confidentiality ImpactHighFull read access post exploitation
Integrity ImpactHighFull write access post exploitation
Availability ImpactHighCan crash or control the system

Attack Flow

Based on the available technical details, the exploitation path follows this general sequence:

  1. Initial Access: The attacker obtains a low privileged local session on the target Windows system. This could be via an interactive logon, SSH, or any other mechanism that provides read, write, and execute capabilities on the host.

  2. Triggering the Race Condition: The attacker issues carefully timed WinSock operations through the afd.sys driver interface. The goal is to create a scenario where a memory object is freed by one thread while another thread still holds a reference to it.

  3. Exploiting the Dangling Reference: Once the race is won, the attacker manipulates the freed memory region, potentially replacing it with attacker controlled data. In a kernel context, this type of corruption can be leveraged to hijack execution flow or overwrite security tokens.

  4. Privilege Escalation: Successful exploitation results in code execution at SYSTEM level, giving the attacker complete control over the host. The high impact ratings across confidentiality, integrity, and availability confirm this outcome.

The attack does not require any user interaction, making it suitable for post compromise automation once an attacker has an initial foothold.

Researcher Credit

The vulnerability was responsibly disclosed by Angelboy (@scwuaptx) of DEVCORE.

Patch Information

Microsoft released an official fix for CVE-2026-35416 on May 12, 2026, as part of its regular Patch Tuesday cycle. The MSRC advisory confirms the remediation level as Official Fix, with exploit code maturity classified as Unproven at the time of publication.

The patch addresses the use after free by correcting the object lifetime management within the WinSock ancillary function driver, ensuring that freed memory is no longer accessible during concurrent operations.

The scope of affected products is broad, spanning client and server editions of Windows. Below are the key KB articles organized by product family:

ProductKB Article(s)Build Number
Windows 11 26H1 (x64/ARM64)KB508954810.0.28000.2113
Windows 11 25H2 (x64/ARM64)KB5089549, KB5089466 (Hotpatch)10.0.26200.8457 / 10.0.26200.8390
Windows 11 24H2 (x64/ARM64)KB5089549, KB5089466 (Hotpatch)10.0.26100.8457 / 10.0.26100.8390
Windows 11 23H2 (x64/ARM64)KB508742010.0.22631.7079
Windows 10 22H2 / 21H2KB508754410.0.19045.7291 / 10.0.19044.7291
Windows 10 1809KB508753810.0.17763.8755
Windows 10 1607KB508753710.0.14393.9140
Windows Server 2025KB5087539, KB5087423 (Hotpatch)10.0.26100.32860 / 10.0.26100.32772
Windows Server 2022 (23H2)KB508754110.0.25398.2330
Windows Server 2022KB5087545, KB5087424 (Hotpatch)10.0.20348.5139 / 10.0.20348.5074
Windows Server 2019KB508753810.0.17763.8755
Windows Server 2016KB508753710.0.14393.9140
Windows Server 2012 R2KB50874716.3.9600.23181
Windows Server 2012KB50874706.2.9200.26079

For environments running Windows Server 2025 Datacenter Azure Edition and Windows 11 Enterprise with Hotpatch enabled, the fix is also available via hotpatch delivery (e.g., KB5087423, KB5089466), allowing the security update to be applied without requiring a reboot. This is a significant operational advantage for production server environments where downtime windows are constrained.

Standard cumulative updates are available through Windows Update, WSUS, and the Microsoft Update Catalog for all other deployments. No official workarounds are documented by Microsoft; patching is the only supported remediation.

Compensating Controls

While patching remains the definitive fix, network intrusion detection vendors have released coverage that may provide interim visibility:

  • Snort published subscriber rules on May 12, 2026, referencing this coding deficiency.
  • Check Point released protection advisory CPAI-2026-4385 for their Security Gateway products.

Affected Systems and Versions

The vulnerability affects a wide range of Windows client and server operating systems. The following is the complete list of affected configurations:

Windows Client:

  • Windows 11 Version 26H1 (ARM64, x64)
  • Windows 11 Version 25H2 (ARM64, x64)
  • Windows 11 Version 24H2 (ARM64, x64)
  • Windows 11 Version 23H2 (ARM64, x64)
  • Windows 10 Version 22H2 (32 bit, ARM64, x64)
  • Windows 10 Version 21H2 (32 bit, ARM64, x64)
  • Windows 10 Version 1809 (32 bit, x64)
  • Windows 10 Version 1607 (32 bit, x64)

Windows Server:

  • Windows Server 2025 (Server Core installation and Desktop Experience)
  • Windows Server 2022, 23H2 Edition (Server Core installation)
  • Windows Server 2022 (Server Core installation and Desktop Experience)
  • Windows Server 2019 (Server Core installation and Desktop Experience)
  • Windows Server 2016 (Server Core installation and Desktop Experience)
  • Windows Server 2012 R2 (Server Core installation and Desktop Experience)
  • Windows Server 2012 (Server Core installation and Desktop Experience)

In total, Microsoft lists 31 distinct affected configurations. The vulnerability's maximum severity is rated as Important across all affected products.

Vendor Security History

The afd.sys driver has been a recurring target for privilege escalation research. The May 2026 Patch Tuesday also addressed CVE-2026-34345, another elevation of privilege vulnerability in the same afd.sys WinSock driver, underscoring that this component continues to attract researcher attention. The broader May 2026 Patch Tuesday release addressed 120 vulnerabilities in total, with no zero days exploited in the wild during this cycle.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization