Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25176

CVE-2026-25176: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-25176 is a privilege escalation vulnerability in Microsoft Windows 10 1607 affecting the Ancillary Function Driver for WinSock. This flaw allows authorized attackers to elevate privileges locally through improper access control.

Updated:

CVE-2026-25176 Overview

CVE-2026-25176 is an improper access control vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw allows a locally authenticated attacker to elevate privileges on affected Windows desktop and server platforms. Microsoft published the advisory on March 10, 2026, and the issue is tracked under CWE-284: Improper Access Control. The vulnerability impacts a broad range of supported Windows 10, Windows 11, and Windows Server releases. Successful exploitation grants attackers higher-integrity execution context, typically SYSTEM, from a low-privileged user session.

Critical Impact

A low-privileged local user can escalate to SYSTEM-level privileges through improper access control in the WinSock kernel driver, leading to full host compromise.

Affected Products

  • Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and arm64
  • Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and arm64
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2026-03-10 - CVE-2026-25176 published to NVD
  • 2026-03-13 - Last updated in NVD database

Technical Details for CVE-2026-25176

Vulnerability Analysis

The Ancillary Function Driver for WinSock (afd.sys) is the kernel-mode component that backs the user-mode Winsock API. It handles socket operations, I/O control requests, and asynchronous network primitives for every process that opens a socket. Because afd.sys runs in ring 0, any access control failure in its IOCTL or object-handling paths exposes a direct path from user mode to kernel-mode privilege.

CVE-2026-25176 is classified under CWE-284 (Improper Access Control). The driver fails to correctly validate the caller's privilege or object ownership before performing a privileged operation. An authorized local user can issue crafted requests that the driver should reject, gaining write or execution primitives in kernel context.

Exploitation requires local access and low privileges, but no user interaction. The result is full compromise of confidentiality, integrity, and availability on the affected host.

Root Cause

The root cause is missing or insufficient access control checks within afd.sys request handling. When a user-mode caller invokes specific socket I/O paths, the driver does not properly enforce the security boundary between the caller's token and the resources or operations exposed by the driver. This allows a standard user to direct the driver to perform actions reserved for privileged contexts.

Attack Vector

The attack vector is local. An attacker who has obtained code execution as any authenticated user, including via phishing payloads, malicious installers, or compromised service accounts, can interact with afd.sys through standard Winsock or DeviceIoControl interfaces. By submitting crafted requests against the vulnerable code path, the attacker triggers the access control failure and obtains SYSTEM-level execution. This pattern is consistent with prior afd.sys elevation-of-privilege bugs that have been used as second-stage components in ransomware and post-compromise toolkits. No verified proof-of-concept code is publicly available at the time of writing.

Detection Methods for CVE-2026-25176

Indicators of Compromise

  • Unexpected processes spawning under the NT AUTHORITY\SYSTEM token from a parent process owned by a standard user.
  • Anomalous loading or interaction with \Device\Afd from non-network applications, particularly short-lived or unsigned binaries.
  • Creation of new services, scheduled tasks, or local administrator accounts immediately following a low-privileged user logon.

Detection Strategies

  • Monitor for token manipulation and integrity-level transitions where a medium-integrity process suddenly executes child processes at high or system integrity.
  • Hunt for suspicious DeviceIoControl activity targeting the AFD device from non-browser, non-network-service processes.
  • Correlate Windows Security event IDs 4672 (special privileges assigned) and 4688 (process creation) for unexpected SYSTEM-level activity originating from interactive user sessions.

Monitoring Recommendations

  • Enable kernel-mode driver and process telemetry across all Windows endpoints and servers in scope of the affected product list.
  • Forward Sysmon and Windows Defender Application Control logs to a central data lake for retrospective hunting after patch deployment.
  • Baseline normal afd.sys interactions per host role so that deviations such as elevation chains from office productivity software are surfaced quickly.

How to Mitigate CVE-2026-25176

Immediate Actions Required

  • Apply the Microsoft security update referenced in the Microsoft CVE-2026-25176 Advisory to all affected Windows 10, Windows 11, and Windows Server systems.
  • Prioritize patching of multi-user systems, jump hosts, RDP servers, and developer workstations where local code execution by standard users is most likely.
  • Audit local accounts and remove unnecessary interactive logon rights to reduce the population of users who can trigger local privilege escalation.

Patch Information

Microsoft has issued cumulative security updates addressing CVE-2026-25176 across all listed Windows client and server SKUs. Refer to the Microsoft Security Response Center advisory for the specific KB numbers per build. Install the updates through Windows Update, WSUS, Microsoft Update Catalog, or your enterprise patch management workflow and reboot to fully load the updated afd.sys.

Workarounds

  • No vendor-supplied workaround replaces the patch. Restrict local logon and limit code execution by standard users until updates are deployed.
  • Enforce application control policies such as Windows Defender Application Control or AppLocker to block untrusted binaries that would be used to chain into the local privilege escalation.
  • Monitor for and remove unauthorized persistence mechanisms on hosts that remain unpatched, and isolate any system showing the indicators listed above.
bash
# Verify the installed afd.sys file version after patching
Get-Item C:\Windows\System32\drivers\afd.sys | Select-Object Name, VersionInfo

# Confirm the latest cumulative update is installed
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne