CVE-2026-25178: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-25178 Overview

CVE-2026-25178 is a use-after-free vulnerability [CWE-416] in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw allows a locally authenticated attacker to elevate privileges to SYSTEM on affected Windows desktop and Server editions. Microsoft published the advisory on March 10, 2026.

The afd.sys driver is a kernel-mode component that brokers Winsock socket operations between user mode and the TCP/IP stack. Successful exploitation gives an attacker full control of the host, including the ability to install programs, modify data, and create new privileged accounts.

Critical Impact

A low-privileged local user can corrupt kernel memory through afd.sys and gain SYSTEM-level code execution, compromising confidentiality, integrity, and availability of the affected system.

Affected Products

• Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
• Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 26H1) on x64 and ARM64
• Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and Server 2025

Discovery Timeline

• 2026-03-10 - CVE-2026-25178 published to NVD and Microsoft releases security update
• 2026-03-13 - Last updated in NVD database

Technical Details for CVE-2026-25178

Vulnerability Analysis

The vulnerability resides in the Ancillary Function Driver for WinSock, afd.sys, which exposes IOCTL interfaces consumed by user-mode Winsock clients. A use-after-free condition occurs when the driver references a kernel object after the underlying allocation has been released. Because the attack complexity is rated high, exploitation requires winning a race or arranging a specific allocation state before the freed object is reused.

Once triggered, an attacker can reclaim the freed memory with attacker-controlled data and influence subsequent driver operations. This leads to arbitrary kernel read or write primitives that can be chained to overwrite a token or callback pointer, yielding code execution in the kernel context.

Root Cause

The root cause is improper object lifetime management within afd.sys. A reference count or synchronization gap allows one code path to free an object while another path retains and uses a pointer to the same memory. The reused pointer then operates on memory whose contents have been replaced by another allocation.

Attack Vector

The attack vector is local. The adversary must already hold low privileges on the target, such as a standard interactive user or a constrained service account. Exploitation typically involves issuing crafted IOCTLs to \\Device\\Afd while manipulating socket state to race the driver into accessing the freed object. User interaction is not required, and the scope remains unchanged because the bug is contained to the local kernel boundary.

No public proof-of-concept code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Update Guide for CVE-2026-25178 for vendor-confirmed technical details.

Detection Methods for CVE-2026-25178

Indicators of Compromise

• Unexpected child processes spawned by non-administrative users with NT AUTHORITY\\SYSTEM integrity
• Kernel bugchecks or KMODE_EXCEPTION_NOT_HANDLED crashes referencing afd.sys in memory dumps
• Unsigned or unknown binaries opening handles to \\Device\\Afd followed by token manipulation
• Anomalous IOCTL traffic to the AFD driver from non-network-oriented processes

Detection Strategies

• Monitor for process token changes where a non-privileged process suddenly acquires the SYSTEM token, indicating token theft after kernel compromise
• Hunt for sequences of NtCreateFile on \\Device\\Afd followed by NtDeviceIoControlFile from low-reputation binaries
• Correlate kernel crash telemetry with subsequent privileged process creation events on the same host
• Apply behavioral analytics to flag local privilege escalation chains that culminate in lsass.exe access or new local administrator account creation

Monitoring Recommendations

• Enable Windows Event Log forwarding for Security channel events 4672, 4688, and 4732 and ship them to a centralized SIEM
• Collect Sysmon Event ID 1 (process creation) and Event ID 10 (process access) to capture privilege transitions
• Retain kernel minidumps from endpoints to support post-incident driver analysis
• Track patch compliance for the March 2026 Microsoft security rollup across all Windows servers and workstations

How to Mitigate CVE-2026-25178

Immediate Actions Required

• Deploy the March 2026 Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2026-25178 to all affected Windows endpoints and servers
• Prioritize patching multi-user systems such as terminal servers, VDI hosts, and developer workstations where low-privileged accounts are common
• Audit local account membership and remove unnecessary interactive logon rights to reduce the population of users who could trigger the bug
• Verify that endpoint protection is active and reporting on every host to detect post-exploitation behavior

Patch Information

Microsoft addressed the vulnerability through cumulative updates released for each supported Windows branch. Administrators should apply the relevant security update via Windows Update, Windows Server Update Services (WSUS), Microsoft Update Catalog, or their configuration management platform. Confirm installation by checking the build number against Microsoft's release notes for the affected SKU.

Workarounds

• No official workaround replaces the patch; restrict local logon and remote desktop access to trusted administrators until the update is deployed
• Enforce application allowlisting through Windows Defender Application Control or AppLocker to block unsigned binaries that could deliver the exploit
• Enable Hypervisor-Protected Code Integrity (HVCI) and Credential Guard to raise the difficulty of kernel-mode exploitation
• Increase logging verbosity on driver load events and kernel crashes to shorten detection time if exploitation is attempted

# Verify patch installation status on Windows hosts
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10

# Check current build to confirm the March 2026 update is applied
[System.Environment]::OSVersion.Version
(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion').UBR