A new use‑after‑free vulnerability (CVE‑2026‑25178) has been published in Microsoft’s “Ancillary Function Driver for WinSock” (AFD.sys) that allows an authorized local user to elevate privileges, and the vendor has listed the issue in its Security Update Guide. (msrc.microsoft.com)
Summary — quick facts
- Vulnerability: Use‑after‑free in the Windows Ancillary Function Driver for WinSock (AFD.sys).
- Impact: Local elevation of privilege (an authenticated, local attacker may be able to gain SYSTEM or otherwise higher privileges).
- Remote exploitation: Not remotely exploitable; attacker requires local access.
- CVSS (reported by third‑party aggregators): CVSS v3.1 base score reported as 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
- Vendor reference: Microsoft Security Update Guide entry for CVE‑2026‑25178. (msrc.microsoft.com)
- Publication / disclosure: Public entries for the CVE appeared on March 10, 2026 (aggregators list the same date).
The user-supplied metric description frames “confidence” as a measure of how strongly the community can assert (a) the vulnerability’s existence, and (b) the technical accuracy and completeness of the public details. In practical terms for defenders and risk teams, this boils down to answering: Has the vendor confirmed the problem? Are there independent technical writeups or PoCs? Are exploit details available? How reliable are the technical claims? This article applies that metric to CVE‑2026‑25178: collecting the public evidence, weighing sources, and giving a defensible confidence assessment with recommended actions.
What we know (evidence inventory)
- Vendor listing (primary authoritative evidence). Microsoft’s Security Update Guide lists CVE‑2026‑25178 as “Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.” The MSRC Update Guide is the authoritative vendor page for Microsoft‑published CVEs and is the canonical place to check for vendor acknowledgement and patch guidance. (msrc.microsoft.com)
- Third‑party CVE aggregators and databases. Multiple vulnerability aggregators and tracking sites have indexed CVE‑2026‑25178 and summarize the issue as a use‑after‑free in the AFD (WinSock) driver that allows local privilege escalation. These sources include cvefeed.io, CVE Details, and others that mirror the vendor reference and add a CVSS assessment. Those pages also list the same description phrase and link back to Microsoft’s update guide.
- Historical context from previous AFD.sys vulnerabilities. AFD.sys (the Ancillary Function Driver for WinSock) has been the subject of multiple prior Microsoft advisories and patches (for example, vulnerabilities disclosed in 2024–2025 that resulted in elevation of privilege fixes). The track record shows that AFD.sys has been repeatedly targeted by security researchers and fixed by Microsoft in past Patch Tuesday cycles. This historical precedent strengthens the plausibility of new, similar findings.
- Public technical details available: At the time of writing there are short public summaries (use‑after‑free described) and CVSS vectors reported by aggregators, but there are no detailed technical whitepapers or public exploit code / PoCs in widely‑trusted sources indexed by major aggregators. That pattern is typical immediately after vendor publication: vendor posts entry, aggregators index, detailed technical analysis may follow from independent researchers.
- Vendor acknowledgement status: Microsoft has the listing in its Security Update Guide for CVE‑2026‑25178, which demonstrates vendor acknowledgement of the CVE identifier and the general issue. For the confidence metric described in your prompt, vendor acknowledgement is the strongest single indicator that the vulnerability is real and addressed or tracked. (msrc.microsoft.com)
- Corroboration by independent aggregators: Multiple CVE viewers and security feeds (cvefeed, cvedetails, etc.) show near identical descriptions and reference the MSRC page. Independent third‑party indexing is expected and does not on its own prove technical correctness, but the correlation across independent trackers increases confidence that the report is not a single erroneous listing.
- Technical depth publicly available: Right now, the public text that’s been collected by aggregators emphasizes “use after free” and local privilege escalation without providing function‑level or exploit‑level proof. That means we have reliable statements about the class of bug (use‑after‑free) and the impact (local EoP), but limited detail on the root cause, exact code path(s), and any exploit reliability. Absence of a detailed public technical writeup or PoC reduces the confidence in detailed operational implications (e.g., how easy it is to exploit on present Windows builds), though it does not reduce confidence in the vulnerability’s existence given vendor acknowledgement.
Using the staged taxonomy you described (from “only existence publicized without details” through “confirmed by vendor”), here is a short, evidence‑aligned classification for CVE‑2026‑25178:
- Existence confidence: High. Microsoft has a Security Update Guide entry for CVE‑2026‑25178, and multiple external vulnerability trackers mirror the vendor listing. Vendor acknowledgement is the most authoritative evidence for existence. (msrc.microsoft.com)
- Technical‑detail confidence: Moderate. Public sources describe the weakness as a use‑after‑free in AFD.sys and list the CVSS vector/score; however, there are no widely‑available vendor technical notes with function names, stack traces, or independent public writeups / exploit code at the time of this writing. That puts us in the “vulnerability known with a stated class and impact, but full technical root‑cause and exploitation details not yet public” bucket.
- Practical exploitability knowledge (attacker view): Medium‑Low to Medium. The CVSS vector indicates local attack complexity and partial mitigations (AV:L, AC:H), and the issue is not remotely exploitable. Without a public PoC it’s unclear how easy or reliable exploitation is across affected Windows builds; however, AFD.sys has a history of impactful local EoP vulnerabilities, which means motivated actors may reverse‑engineer or weaponize this class of flaw once details are available.
- Urgency for defenders: High. Even with only a vendor listing and no public exploit details, the consequence (local elevation to SYSTEM) in a widely deployed kernel driver makes this a high operational priority for patching and mitigations in enterprise environments. Microsoft entries like this are typically issued with updates — the immediate defensive posture should be to treat the CVE as a confirmed local privilege escalation and to apply vendor updates per guidance. (msrc.microsoft.com)
- Overall metric summary (short): Existence = Confirmed (vendor). Technical detail = Publicly described at the class level (use‑after‑free) but lacking deep technical disclosure. Confidence in existence: High. Confidence in precise exploitability/technical behavior: Moderate.
- AFD.sys is a kernel‑level driver that implements low‑level socket handling for WinSock; vulnerabilities in it have been a repeated source of local elevation issues because it runs in kernel mode and is widely invoked by user processes. A “use‑after‑free” typically indicates object lifetime mismanagement: a kernel object is freed but a subsequent path still dereferences the pointer, permitting memory corruption and potential control over kernel data or code flow. That can in turn allow privilege escalation to SYSTEM if exploited successfully. Prior AFD.sys issues in 2024–2025 followed this pattern and led to fixes and patches from Microsoft.
- For defenders, the practical risk stems from two facts: (1) kernel memory corruption can be powerful (SYSTEM), and (2) local access is sufficient. The latter is important because once an attacker has local access (e.g., via an unprivileged user account, phishing payload executed locally, or malicious script run by a user), they might be able to chain this EoP to fully compromise the host.
- No public PoC or exploit samples at time of indexing. Without an exploit binary or public step‑by‑step exploitation writeup, defenders cannot quantify exploit reliability, required privileges, or per‑build variations in behavior. That gap keeps the “technical detail” portion of the confidence metric at moderate rather than high.
- No explicit affected‑build table in the public aggregator entries. Microsoft’s Update Guide normally includes which KB/patch fixes the issue and the affected products/builds; sometimes the dynamic MSRC page must be loaded in a browser to see the full table. Defenders should consult the MSRC entry directly and also use Windows Update metadata for their environment to find the precise KB that addresses the issue. (msrc.microsoft.com)
- Immediate patching: Consult Microsoft’s Security Update Guide entry for CVE‑2026‑25178 and apply the vendor updates or hotfixes indicated for your Windows builds as soon as feasible after appropriate testing. Vendor acknowledgement indicates Microsoft will provide a remediation path. (msrc.microsoft.com)
- Prioritize high‑risk hosts: Start with internet‑exposed desktop/laptop pools where users routinely execute untrusted code, RDP‑accessible endpoints, and servers where local access by low‑privilege accounts is easier to obtain (for example, multi‑tenant desktops). Given the local nature of the vulnerability, prioritize systems where user interaction can be coerced or where hosts run untrusted code.
- Detection and telemetry (near‑term): Look for anomalous local process behavior that attempts to invoke kernel sockets in unusual ways or repeated crashes of afd.sys. Kernel crash dumps (blue screens) and Windows Event logs referencing afd.sys or SYSTEM crashes should be reviewed. If you have EDR telemetry, add afd.sys crash signatures and unusual kernel memory corruption indicators to high‑priority watchlists. (Note: these are general detection ideas for kernel use‑after‑free classes — specific IOCs tied to an exploit will only appear once exploit details emerge.)
- Hardening mitigations: Where patching cannot be immediately applied, follow least‑privilege practices (reduce local interactive admin accounts), disable unnecessary local services, and restrict execution privileges for untrusted users. In some high‑security environments, temporary compensating controls might include removing local admin rights for users, implementing application allowlisting, and using constrained local accounts for everyday tasks.
- Monitoring for public exploit disclosures: Expect follow‑on technical writeups from security researchers and forensic blogs. When those appear, update detection rules with TTPs and any exploit artifacts disclosed. Given the historical pattern for AFD.sys issues (prior research and public writeups after vendor advisories), it’s likely that technical analysis and PoCs will surface quickly once researchers can responsibly publish.
- Primary: Microsoft Security Update Guide entry for CVE‑2026‑25178 (use the MSRC vulnerability page and Microsoft’s security update metadata). (msrc.microsoft.com)
- Aggregators: cvefeed.io and CVE Details for CVSS snapshot and cross‑references (these mirror vendor text and provide quick indexable metadata).
- Security blogs & vendor advisories: major security vendors and researchers (e.g., Fortinet, Armis, RiskIQ, etc.) will often publish analysis and detection guidance; check them after initial vendor publication.
- March 10, 2026: CVE entries and aggregators indexed the vulnerability and list it with the “use‑after‑free” description and a CVSS vector. Microsoft’s Update Guide has a corresponding entry (authoritative vendor record). Aggregators show a CVSS of 7.0 in early indexing.
- Historical context: Similar AFD.sys issues were patched in 2024–2025 (e.g., CVE‑2025‑21418 and a number of other AFD.sys CVEs), which shows the kernel driver has been scrutinized and has been a repeated source of elevation‑of‑privilege fixes in recent years. That history helps explain why MSRC and third‑party trackers index new AFD.sys CVEs quickly and why defenders should treat these reports as high priority even before technical exploit details are published.
- If Microsoft’s MSRC page is updated to add technical notes, exploitability guidance, or to indicate the CVE was reserved in error, that would change the interpretation. Always re‑check the MSRC advisory for update details and targeted KBs. (msrc.microsoft.com)
- If a public PoC is later published, that would raise the operational urgency (and may increase our exploitability confidence from moderate to high). Conversely, if independent researchers show the issue is extremely difficult or only exploitable under very narrow conditions, that could lower exploitation risk even though the existence remains confirmed.
- Existence confidence: High (vendor acknowledgement via MSRC). (msrc.microsoft.com)
- Technical‑detail confidence: Moderate (class of issue identified publicly as a use‑after‑free; no detailed public exploit writeups or PoC at time of writing).
- Practical urgency: High for defenders — treat CVE‑2026‑25178 as a confirmed local privilege escalation requiring rapid patching and prioritized mitigation given the kernel impact and historical pattern of AFD.sys vulnerabilities. (msrc.microsoft.com)
Source: MSRC Security Update Guide - Microsoft Security Response Center