Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33099

CVE-2026-33099: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-33099 is a use-after-free privilege escalation vulnerability in Windows 10 1607 Ancillary Function Driver for WinSock. Authorized attackers can exploit this locally to gain elevated privileges.

Updated:

CVE-2026-33099 Overview

CVE-2026-33099 is a use-after-free vulnerability [CWE-416] in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw allows an authorized local attacker to elevate privileges on affected Windows desktop and server systems. Microsoft published the advisory on April 14, 2026, with a HIGH severity rating.

The vulnerability affects a broad range of supported Windows versions, including Windows 10, Windows 11, and Windows Server editions from 2012 through 2022. Successful exploitation grants attackers SYSTEM-level privileges from a low-privileged user context.

Critical Impact

A local authenticated attacker can exploit a use-after-free condition in afd.sys to gain SYSTEM privileges, enabling full compromise of the affected host.

Affected Products

  • Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (23H2, 24H2, 25H2)
  • Microsoft Windows Server 2012, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

  • 2026-04-14 - CVE CVE-2026-33099 published to NVD
  • 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-33099

Vulnerability Analysis

The vulnerability resides in the Ancillary Function Driver for WinSock, the kernel-mode driver that backs the user-mode Winsock API. afd.sys runs in ring 0 and brokers socket operations between user processes and the TCP/IP stack. A use-after-free condition in this driver lets an attacker manipulate kernel memory after it has been freed.

The attacker must already have authenticated local access to the target system. Exploitation requires winning a race condition or precisely sequencing socket operations, which is reflected in the high attack complexity rating. Successful exploitation results in arbitrary code execution in kernel context.

Root Cause

The root cause is improper object lifetime management within afd.sys. A kernel object referenced by socket-related operations is freed while another code path still holds a reference to it. When the dangling reference is later dereferenced, an attacker who has reclaimed the freed allocation with controlled data can redirect execution or corrupt kernel structures.

Attack Vector

The attack vector is local. An attacker with standard user credentials issues a crafted sequence of Winsock IOCTL or socket calls that trigger the freed allocation path. By spraying kernel pool allocations to occupy the freed slot, the attacker controls the contents of the reused memory. The subsequent dereference allows privilege escalation from the attacker's user context to SYSTEM.

This class of afd.sys bug has historically been favored by ransomware operators and post-exploitation toolkits because the driver is reachable from sandboxed and low-integrity processes. No public proof-of-concept has been released for CVE-2026-33099 at publication time, and it is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-33099

Indicators of Compromise

  • Unexpected token duplication or process handle inheritance where a low-privileged process spawns children running as NT AUTHORITY\SYSTEM.
  • Kernel bug checks (BSOD) referencing afd.sys on hosts running unpatched builds, which may indicate failed exploitation attempts.
  • New service installations, scheduled tasks, or registry persistence written by a user process immediately after suspicious socket activity.

Detection Strategies

  • Monitor for anomalous parent-child process relationships where a non-elevated process appears to spawn elevated children without using documented elevation mechanisms.
  • Hunt for processes opening unusual handles to \Device\Afd followed by rapid allocation and free patterns typical of kernel pool grooming.
  • Correlate Windows Event Log entries for privilege assignment (Event ID 4672) with the originating process integrity level to flag unexpected SYSTEM acquisitions.

Monitoring Recommendations

  • Enable kernel-mode driver integrity logging and ship afd.sys crash dumps to a central location for triage.
  • Track post-exploitation behaviors such as credential dumping from lsass.exe, defender tampering, and service creation that frequently follow local privilege escalation.
  • Apply behavioral identification rules for known local privilege escalation tradecraft and review alerts on hosts that have not yet received the April 2026 cumulative update.

How to Mitigate CVE-2026-33099

Immediate Actions Required

  • Apply the Microsoft security update referenced in the Microsoft CVE-2026-33099 Update advisory to all affected Windows 10, Windows 11, and Windows Server systems.
  • Prioritize patching multi-user systems, terminal servers, and developer workstations where untrusted local code is more likely to run.
  • Audit local account membership and reduce the number of users with interactive logon rights on sensitive servers.

Patch Information

Microsoft has released cumulative updates addressing CVE-2026-33099. Refer to the Microsoft Security Response Center advisory for build-specific KB article numbers and download links. The update replaces the vulnerable afd.sys driver with a corrected version that fixes the object lifetime handling.

Workarounds

  • No vendor-supplied workaround replaces the security update; Microsoft recommends installing the patch.
  • Restrict local logon and remote desktop access to trusted administrative users to reduce the population of accounts able to trigger the flaw.
  • Enforce application allowlisting (for example, Windows Defender Application Control) so unsigned exploitation binaries cannot execute on protected hosts.
bash
# Verify the installed afd.sys version after patching (PowerShell)
Get-Item C:\Windows\System32\drivers\afd.sys | Select-Object VersionInfo

# List installed updates to confirm the relevant KB is present
Get-HotFix | Sort-Object -Property InstalledOn -Descending

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.