CVE-2026-21236 Overview
CVE-2026-21236 is a heap-based buffer overflow in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw allows an authorized local attacker to elevate privileges to SYSTEM on affected Windows and Windows Server releases. Microsoft published the advisory on February 10, 2026, covering Windows 10, Windows 11 (through 25H2), and Windows Server editions from 2012 through 2025. The vulnerability is tracked under [CWE-122] (heap-based buffer overflow) and [CWE-787] (out-of-bounds write).
Critical Impact
A local attacker with low-privileged authenticated access can corrupt kernel heap memory through afd.sys and gain SYSTEM-level code execution, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 builds
- Microsoft Windows 11 (23H2, 24H2, 25H2) across x64 and ARM64 builds
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-02-10 - CVE-2026-21236 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-21236
Vulnerability Analysis
The Ancillary Function Driver for WinSock (afd.sys) is the kernel-mode driver that backs user-mode WinSock socket operations through the \Device\Afd device object. The driver processes IOCTL requests issued by socket APIs such as WSAIoctl and NtDeviceIoControlFile. CVE-2026-21236 stems from improper validation of a size or length value used during a heap allocation or copy inside afd.sys, resulting in an out-of-bounds write on a kernel pool buffer.
Because afd.sys executes in kernel context, corrupting an adjacent pool chunk allows an attacker to overwrite kernel object fields. Practical exploitation paths against similar AFD bugs have targeted pool header metadata or pipe attribute objects to gain arbitrary read/write primitives, then replaced the current process token with the SYSTEM token.
Root Cause
The root cause is a heap-based buffer overflow ([CWE-122]) combined with an out-of-bounds write ([CWE-787]) inside the WinSock ancillary driver. A length value derived from attacker-controlled IOCTL input is trusted without sufficient bounds checking, causing the driver to write past the end of a kernel heap allocation.
Attack Vector
Exploitation requires local, authenticated access. The attacker opens a handle to the AFD device, then issues a crafted IOCTL with malformed input or output buffer parameters. No user interaction is required, and the attack runs in a single security context. Microsoft has not reported in-the-wild exploitation, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of publication.
No verified public proof-of-concept exists for CVE-2026-21236 at the time of writing. Refer to the Microsoft Security Update Guide entry for CVE-2026-21236 for vendor technical details.
Detection Methods for CVE-2026-21236
Indicators of Compromise
- Unexpected child processes (for example cmd.exe, powershell.exe) spawned from low-privileged user processes running as NT AUTHORITY\SYSTEM.
- Process token replacement events where a non-elevated process suddenly references the SYSTEM token.
- Kernel bugchecks referencing afd.sys or pool corruption stop codes such as BAD_POOL_HEADER (0x19) shortly after suspicious IOCTL activity.
Detection Strategies
- Hunt for unusual local processes opening handles to \Device\Afd followed by privilege transitions in the same parent-child chain.
- Correlate Windows Security event ID 4688 (process creation) with sudden integrity-level elevation from Medium to System on the same user session.
- Apply behavioral identification rules that flag user-mode binaries triggering kernel pool corruption telemetry from Event Tracing for Windows (ETW) kernel providers.
Monitoring Recommendations
- Enable command-line auditing and PowerShell script block logging on all endpoints to capture local elevation tooling.
- Forward Windows kernel and security event logs to a central SIEM or data lake for cross-host correlation.
- Monitor patch deployment status of the February 2026 Microsoft security rollup across the Windows estate and alert on hosts that remain unpatched.
How to Mitigate CVE-2026-21236
Immediate Actions Required
- Apply the February 2026 Microsoft security update for every affected Windows and Windows Server SKU listed in the advisory.
- Prioritize multi-user systems, terminal servers, virtual desktop hosts, and developer workstations where local accounts are most prevalent.
- Audit local account membership and remove unnecessary interactive logon rights to reduce the population of users who can trigger the flaw.
Patch Information
Microsoft has released cumulative security updates that address CVE-2026-21236. Refer to the Microsoft Security Update Guide for CVE-2026-21236 for the specific KB article and build numbers that apply to each supported Windows and Windows Server release.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation.
- Restrict local logon and Remote Desktop access to administrators only on servers that cannot be patched immediately.
- Enforce application allowlisting (for example Windows Defender Application Control) to block execution of unsigned local elevation tools while patching is in progress.
# Verify patch installation status on a Windows host
wmic qfe list brief /format:table
# Or with PowerShell, list installed updates and filter by KB
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
