CVE-2026-41088 Overview
CVE-2026-41088 is a local privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock. The flaw stems from external control of a file name or path [CWE-73] within the kernel-mode driver afd.sys. An authenticated local attacker can manipulate path inputs processed by the driver to elevate privileges from a standard user to SYSTEM. Microsoft assigned a CVSS 3.1 base score of 7.8 and published the advisory through the Microsoft Security Update Guide. The vulnerability affects all supported Windows 10, Windows 11, and Windows Server versions running the affected driver.
Critical Impact
A successful exploit grants SYSTEM-level privileges on the local host, enabling full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 21H2 and 22H2 (x86, x64, ARM64)
- Microsoft Windows 11 23H2, 24H2, 25H2, and 26H1 (x64, ARM64)
- Microsoft Windows Server 2022, Server 2022 23H2, and Server 2025
Discovery Timeline
- 2026-05-12 - CVE-2026-41088 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-41088
Vulnerability Analysis
The Ancillary Function Driver for WinSock (afd.sys) is a kernel-mode driver that exposes WinSock socket functionality to user-mode applications. The driver accepts handles, path strings, and IOCTL parameters from user-mode callers. CVE-2026-41088 arises because the driver consumes a file name or path derived from attacker-controlled input without sufficient validation or canonicalization. By supplying a crafted path, a local user can influence which file or object the kernel acts upon, leading to operations performed in the SYSTEM security context against attacker-chosen targets.
The issue is classified under [CWE-73]: External Control of File Name or Path. Exploitation does not require user interaction and operates within a single security scope. EPSS data published 2026-05-17 reports a low near-term exploitation probability, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at publication.
Root Cause
The root cause is the driver's reliance on caller-supplied path data without enforcing strict validation that the path resolves to a location the caller is authorized to access. When the driver performs a privileged file or object operation on that path, the privilege boundary between user mode and kernel mode collapses for that operation.
Attack Vector
The attacker must already have local code execution as a low-privileged authenticated user. The attacker opens a handle to the AFD device and issues IOCTL requests containing a malicious path. The driver processes the path under kernel context, allowing the attacker to perform actions such as overwriting protected files, redirecting object access, or coercing privileged writes that culminate in SYSTEM execution.
No public proof-of-concept or exploit code is available at the time of writing. Refer to the Microsoft Security Update Guide for vendor-supplied technical context.
Detection Methods for CVE-2026-41088
Indicators of Compromise
- Unexpected child processes of low-privileged user sessions running as NT AUTHORITY\SYSTEM shortly after opening handles to \Device\Afd.
- New or modified files in protected directories such as C:\Windows\System32 written by non-administrative users.
- Anomalous IOCTL traffic to afd.sys from processes that do not normally perform networking operations.
Detection Strategies
- Hunt for token impersonation or token theft sequences where a standard user process acquires a SYSTEM token without an expected service host parent.
- Correlate handle-open events for \Device\Afd with subsequent privileged file writes from the same process tree.
- Apply behavioral analytics that flag local privilege escalation patterns originating from interactive user sessions.
Monitoring Recommendations
- Enable Windows kernel auditing and Sysmon Event ID 1 (process creation) and Event ID 11 (file create) for sensitive paths.
- Forward endpoint telemetry to a centralized analytics platform and retain process lineage data for retrospective hunting.
- Monitor for unpatched hosts using vulnerability management scans aligned to Microsoft's May 2026 advisory.
How to Mitigate CVE-2026-41088
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching multi-user systems, terminal servers, and developer workstations where local accounts are present.
- Restrict interactive logon rights on servers to reduce the set of users who can stage local exploits.
Patch Information
Microsoft has released cumulative updates addressing CVE-2026-41088 across all supported Windows client and server versions listed in the affected products section. Consult the Microsoft Security Update Guide for the specific KB article matching each operating system build and architecture (x86, x64, ARM64).
Workarounds
- No vendor-approved workaround replaces the security update; install the patch as soon as feasible.
- Enforce application control policies (Windows Defender Application Control or AppLocker) to block execution of unknown binaries that could deliver the exploit.
- Reduce local administrative footprint and apply the principle of least privilege to limit the value of a successful escalation.
# Verify patch deployment status on Windows hosts
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# Query AFD driver version to confirm update
Get-Item C:\Windows\System32\drivers\afd.sys | Select-Object VersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
