CVE-2026-20810 Overview
CVE-2026-20810 is a local privilege escalation vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw stems from freeing memory that does not reside on the heap [CWE-590], which a local authenticated attacker can leverage to elevate privileges to SYSTEM. Microsoft published the advisory on January 13, 2026, covering Windows 10 versions 1809, 21H2, 22H2, and Windows Server 2019. Successful exploitation grants full control over the affected host, including confidentiality, integrity, and availability impact.
Critical Impact
A low-privileged local user can escalate to SYSTEM by triggering an improper free in the WinSock kernel driver, enabling kernel-mode code execution and complete host compromise.
Affected Products
- Microsoft Windows 10 1809 (x64 and x86)
- Microsoft Windows 10 21H2 and 22H2
- Microsoft Windows Server 2019
Discovery Timeline
- 2026-01-13 - CVE-2026-20810 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2026-20810
Vulnerability Analysis
The Ancillary Function Driver for WinSock (afd.sys) is a kernel-mode driver that brokers user-mode socket calls into the Windows networking stack. CVE-2026-20810 occurs when the driver invokes a free routine against a memory region that was not allocated from the kernel pool heap. This condition corresponds to [CWE-590]: Free of Memory Not on the Heap.
When the kernel allocator metadata for a freed pointer is invalid or references stack, global, or otherwise non-pool memory, the pool manager can corrupt adjacent allocations or its own bookkeeping structures. An attacker who controls adjacent memory layout can convert this corruption into an arbitrary write primitive in kernel space. The attack requires only local access and low privileges with no user interaction.
Root Cause
The root cause is a logic error in afd.sys that calls a pool free function (such as ExFreePoolWithTag) on a pointer whose origin is not a pool allocation. This typically results from a code path that aliases a user-influenced buffer pointer with a kernel-managed allocation, or from a missing validation check before deallocation.
Attack Vector
Exploitation requires the attacker to execute code on the target system as an authenticated user. The attacker issues crafted IOCTL or socket-related system calls to afd.sys that drive the vulnerable code path. Successful manipulation of the pool state allows the attacker to overwrite kernel objects and obtain SYSTEM-level execution. No remote network access and no user interaction are required.
No public proof-of-concept exploit code has been published, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.05%.
Detection Methods for CVE-2026-20810
Indicators of Compromise
- Unexpected system crashes or bug checks referencing afd.sys, particularly BAD_POOL_CALLER (0xC2) or BAD_POOL_HEADER (0x19).
- Creation of new SYSTEM-context processes spawned from user sessions without an administrative parent.
- Anomalous handle openings to \Device\Afd followed by unusual NtDeviceIoControlFile activity from non-network applications.
Detection Strategies
- Monitor Windows Error Reporting and minidumps for kernel pool corruption events tied to afd.sys.
- Hunt for local privilege escalation patterns: a non-admin process suddenly enabling SeDebugPrivilege or accessing tokens of SYSTEM processes.
- Correlate driver load events (Event ID 6) and unsigned or unusual driver behavior with subsequent token manipulation.
Monitoring Recommendations
- Enable Microsoft Defender for Endpoint or equivalent EDR telemetry for kernel-mode anomaly identification and token theft signals.
- Forward Sysmon Event IDs 1, 10, and 25 to a centralized log platform to detect process access and token impersonation patterns.
- Audit Windows Update compliance to confirm the January 2026 cumulative update is deployed across the fleet.
How to Mitigate CVE-2026-20810
Immediate Actions Required
- Apply the January 2026 Microsoft security update referenced in the Microsoft Security Update CVE-2026-20810 advisory to all affected Windows 10 and Windows Server 2019 systems.
- Prioritize patching on multi-user systems, terminal servers, and developer workstations where untrusted local code execution is more likely.
- Restrict local logon rights and remove unnecessary interactive user accounts from sensitive hosts.
Patch Information
Microsoft has released cumulative updates that remediate afd.sys. Refer to the Microsoft Security Update CVE-2026-20810 advisory for the specific KB article numbers corresponding to each supported Windows build.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation.
- Reduce exposure by enforcing the principle of least privilege and blocking execution of untrusted binaries through application control policies such as Windows Defender Application Control or AppLocker.
- Enable Hypervisor-protected Code Integrity (HVCI) and Credential Guard to raise the cost of kernel exploitation chains.
# Verify installed updates and afd.sys version on a Windows host
wmic qfe list brief /format:table
powershell -Command "Get-Item C:\Windows\System32\drivers\afd.sys | Select-Object Name, VersionInfo"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
