CVE-2026-21241 Overview
CVE-2026-21241 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw allows an authenticated local attacker to elevate privileges to SYSTEM on affected Windows 11 and Windows Server systems. The driver mishandles object lifetimes during WinSock operations, leaving freed memory references reachable from user mode. An attacker who successfully reclaims the freed allocation can corrupt kernel memory and gain arbitrary kernel-mode execution. Microsoft published the advisory through MSRC and assigned the issue to CWE-416. The exploit prediction score (EPSS) currently sits at 0.03% with a percentile of 8.778, and no public proof-of-concept code is available at this time.
Critical Impact
Successful exploitation grants kernel-level code execution, enabling full system compromise, credential theft, and persistent attacker control over the affected host.
Affected Products
- Microsoft Windows 11 (versions 23H2, 24H2, 25H2) on x64 and ARM64
- Microsoft Windows Server 2022 and Windows Server 2022 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2026-02-10 - CVE-2026-21241 published to the National Vulnerability Database
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-21241
Vulnerability Analysis
The Ancillary Function Driver for WinSock (afd.sys) brokers user-mode WinSock requests into the Windows kernel networking stack. The driver allocates and tracks state objects tied to socket handles and asynchronous I/O requests. A use-after-free condition occurs when the driver releases one of these objects while another code path retains a reference. Subsequent operations dereference the dangling pointer, reading or writing memory that may have been reclaimed by attacker-controlled data. Local attackers leverage this primitive to corrupt kernel structures and pivot to SYSTEM-level execution. The vulnerability requires local authentication and exhibits high attack complexity, reflecting the timing precision needed to win the race and groom the kernel pool.
Root Cause
The root cause is improper object lifetime management within afd.sys [CWE-416]. The driver fails to synchronize reference counting or invalidate cached pointers when an associated socket or I/O context is torn down. This leaves a stale kernel pointer reachable through IOCTL handlers or completion routines.
Attack Vector
Exploitation requires local code execution as a standard authenticated user. The attacker issues a crafted sequence of WinSock IOCTLs against \Device\Afd to trigger the freed-object race, then sprays the kernel pool to reclaim the slot with controlled data. Dereferencing the dangling pointer yields kernel read/write primitives that escalate the process token to SYSTEM.
No verified public exploit code is available. See the Microsoft Security Update for CVE-2026-21241 for vendor-confirmed technical details.
Detection Methods for CVE-2026-21241
Indicators of Compromise
- Unexpected token elevation events where a standard-user process gains SYSTEM privileges without an authorized service transition.
- Kernel bugchecks or \Device\Afd-related crashes in afd.sys correlated with user-mode processes performing high-frequency WinSock IOCTLs.
- New service installations, scheduled tasks, or LSASS access from processes that previously ran as non-privileged users.
Detection Strategies
- Hunt for processes opening handles to \Device\Afd followed by rapid NtDeviceIoControlFile calls and abnormal thread priority or token changes.
- Correlate Windows Event ID 4672 (special privileges assigned) with the parent process integrity level to surface unexpected SYSTEM escalations from medium-integrity processes.
- Apply behavioral analytics to identify kernel pool grooming patterns, such as repeated allocations of identically sized objects from user mode.
Monitoring Recommendations
- Forward Sysmon process creation, handle, and image-load telemetry to a centralized analytics platform for retroactive hunting.
- Monitor WER and Minidump crash reports referencing afd! symbols across the fleet, since failed exploitation often produces kernel faults.
- Track patch deployment status of the February 2026 cumulative updates across Windows 11 and Windows Server estates.
How to Mitigate CVE-2026-21241
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory to all affected Windows 11 23H2/24H2/25H2 and Windows Server 2022/2025 systems.
- Prioritize patching multi-user systems, jump hosts, RDP gateways, and developer workstations where local access is broadly available.
- Restrict interactive and remote logon rights to reduce the population of users able to trigger local privilege escalation.
Patch Information
Microsoft addressed the use-after-free in afd.sys through the February 2026 security update. Patch metadata, KB numbers, and per-build replacement binaries are published in the Microsoft Security Update for CVE-2026-21241. Apply the cumulative update that matches each host's Windows build and reboot to complete kernel driver replacement.
Workarounds
- No vendor-supplied workaround replaces the patch; deploy the security update as the primary remediation.
- Enforce least-privilege execution and application allowlisting to limit which binaries can issue WinSock IOCTLs from untrusted user contexts.
- Enable Hypervisor-Protected Code Integrity (HVCI) and Kernel Control Flow Guard where compatible to raise the cost of kernel exploitation.
# Verify installed update on Windows hosts
wmic qfe list brief /format:table
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
