Microsoft disclosed CVE-2026-45598 on June 9, 2026, as an Important-rated Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability that allows an authorized local attacker to raise privileges on affected Windows systems. The dry phrasing is easy to skim past in a Patch Tuesday avalanche, but the component name should make administrators pause. AFD.sys sits close to the plumbing that lets Windows applications talk over the network, and local privilege escalation bugs in that layer have a history of turning “already on the box” into “owns the box.” The most important thing about this advisory is not that Microsoft says the flaw exists; it is that Microsoft is revealing just enough to make the risk real while withholding the sort of detail that would let defenders or attackers fully model it.
CVE-2026-45598 arrives as part of Microsoft’s June 2026 Patch Tuesday, a release large enough that any single vulnerability can disappear into the spreadsheet. That is the first trap. Local elevation-of-privilege flaws rarely generate the same alarm as wormable remote-code-execution bugs, yet they are often the second stage that makes intrusions durable.
The advisory identifies the affected component as the Windows Ancillary Function Driver for WinSock, commonly associated with AFD.sys. In practical terms, this is kernel-mode infrastructure used by Windows networking. It is not an optional consumer feature or a niche enterprise add-on; it is part of the operating system’s everyday networking path.
Microsoft’s public description characterizes the issue as a use-after-free condition involving a race condition. That combination matters. A use-after-free bug means code may continue to reference memory after it should no longer be trusted. A race condition means the attacker’s opportunity may depend on timing, repeated attempts, or careful orchestration of competing operations.
The result, according to the advisory data now circulating through vulnerability databases, is local privilege escalation by an authorized attacker. That phrase narrows the scenario but does not make it comfortable. “Authorized” does not mean trusted in the way a domain admin is trusted; it can mean a low-privileged local account, a foothold obtained through phishing, a compromised browser process, or malware already running without administrative rights.
This is where Microsoft’s confidence language becomes more than boilerplate. The vulnerability is confirmed by the vendor, but the detailed exploit mechanics are not public. That creates a familiar Patch Tuesday asymmetry: defenders know enough to prioritize patching, while attackers know enough to begin diffing the patched binaries.
Modern intrusions do not respect that neat division. Endpoint compromise is often a chain, not a single event. A user opens a malicious file, a browser sandbox is escaped, a credential is phished, a service account is abused, and then the attacker needs one more step: kernel or SYSTEM-level control.
That is where vulnerabilities like CVE-2026-45598 become strategically valuable. They may not be the front door, but they can be the staircase. If an attacker can move from a constrained context to a privileged one, defensive boundaries that looked meaningful on paper begin to collapse.
For WindowsForum readers, the practical lesson is not to panic over every AFD.sys CVE. Microsoft has shipped many fixes for the component over the years, and not every one becomes a widely exploited weapon. The lesson is to treat local privilege escalation as a first-class patching concern, especially on systems exposed to untrusted users, shared workloads, remote access, developer tooling, or browser-heavy activity.
The June 2026 context also matters. This Patch Tuesday included multiple Windows security fixes, including several Ancillary Function Driver for WinSock entries. When one component shows up repeatedly in the same month, defenders should assume Microsoft has been working through a cluster of related bug classes or researcher submissions. That does not prove common exploitability, but it does suggest an area of the kernel networking stack that deserved sustained attention.
That invisibility is part of the risk. Components like AFD.sys are broadly present, deeply privileged, and difficult to meaningfully remove from a Windows estate. If a vulnerability affects supported Windows client and server versions, mitigation usually comes down to applying the cumulative update rather than toggling off a feature.
Kernel-mode networking components also sit at an awkward boundary. They process operations triggered by user-mode applications, but they execute with far greater authority. That is why memory-safety errors in this space can be so consequential. A bug that begins as mishandled object lifetime can, under the right circumstances, become control over privileged execution.
The advisory’s “use after free” language points to an object-lifetime problem. The “race condition” classification adds another layer: the vulnerable state may appear only when two or more operations interleave in a particular way. That can make exploitation less trivial than a clean linear overflow, but it does not make exploitation theoretical. Many serious Windows local privilege escalation exploits have depended on precisely this kind of timing-sensitive behavior.
It is also why exploit reliability is hard to infer from the advisory alone. A race can be flaky in a lab and reliable in the hands of a skilled exploit developer with enough retries, processor knowledge, and target-specific tuning. Defenders should avoid treating “race condition” as a synonym for “unlikely.”
That does not mean the public knows everything important. The root cause is described only at a category level: use-after-free, race condition, local elevation of privilege. There is no public proof of concept in Microsoft’s advisory, no step-by-step attack path, and no detailed explanation of which code path in AFD.sys mishandles lifetime or synchronization.
This distinction matters for both attackers and defenders. For defenders, high confidence in existence should drive patch urgency. For attackers, limited technical disclosure may slow the first wave of exploitation, but it will not prevent binary-diffing, patch analysis, or independent rediscovery.
The most honest reading is that CVE-2026-45598 has high vendor-confirmed existence confidence and moderate public technical-detail confidence. We know the component, impact, broad bug class, attacker position, and release date. We do not know the exploit primitive, reliability, affected internal function, or whether any private exploit already exists.
That makes the vulnerability serious without making it sensational. It is not currently framed as a publicly exploited zero-day. It is also not safe to ignore simply because it lacks a headline-grabbing exploit write-up.
But once the attacker is local, the value changes sharply. Privilege escalation can allow malware to disable security tools, dump credentials, tamper with logs, install kernel-adjacent persistence, or move laterally with better tokens. In enterprise terms, the original compromise may be noisy and contained; the privilege escalation is what turns it into a broader incident.
This is especially relevant for Windows servers that host many users or workloads. Remote Desktop Session Hosts, jump boxes, developer workstations, build agents, kiosks, shared lab machines, and virtual desktop infrastructure all magnify local privilege boundaries. If untrusted or semi-trusted users can execute code locally, elevation-of-privilege bugs become far more than theoretical.
The same logic applies to consumer systems, though the impact is usually framed differently. A home user may not care about “lateral movement,” but they should care if malware can move from a standard-user context to administrative or SYSTEM-level control. Once that happens, removal becomes harder and data exposure becomes more likely.
For administrators, the central question is not “Can this be exploited remotely?” The better question is: “Where do we allow untrusted code or low-trust users to run on Windows?” Those are the systems where CVE-2026-45598 should move up the queue.
Elevation-of-privilege vulnerabilities often sit just below the emergency threshold. They are not always externally reachable. They may require authentication. They may not have public exploit code on day one. But attackers can use them to complete the very chains defenders are trying to break.
Microsoft’s monthly cumulative update model simplifies one part of the problem: you usually do not patch just CVE-2026-45598. You deploy the relevant June 2026 cumulative updates for affected Windows versions, test them against business-critical workloads, and monitor for regressions. The CVE is a reason to accelerate that process, not a standalone package to install.
That model is both a blessing and a curse. It reduces patch selection errors, but it also means organizations sometimes delay an entire cumulative update because of one compatibility concern. In a month with several kernel, networking, and privilege-related fixes, deferral becomes a larger security bet.
The better posture is staged urgency. Patch internet-facing and high-risk shared systems first, then privileged admin workstations, then broad client populations, then lower-risk servers according to change windows. Waiting for exploit code to appear before moving is not a strategy; it is a wager that attackers will be slower than your maintenance calendar.
But absence of known exploitation on disclosure day is not the same as low risk. Patch release gives researchers and adversaries a before-and-after snapshot. For Windows kernel bugs, diffing patched and unpatched binaries can reveal changed code paths, new checks, altered synchronization, or object-lifetime corrections.
The attacker’s work is harder when Microsoft withholds details, but it is not blind. The component is named. The bug class is named. The impact is named. The patch is available. That is enough to start looking.
This is why the report confidence metric should be read in operational terms. Confidence that the bug exists is high because Microsoft fixed it. Confidence that attackers already know the full technique is lower, at least publicly. But over time, that second confidence level tends to rise as patches are analyzed, proof-of-concept attempts circulate privately, and exploit developers test reliability across builds.
Defenders have a window in which the patch is more available than the exploit. The whole point of Patch Tuesday discipline is to use that window.
Privileged access workstations should be near the front of the line. If an attacker compromises a standard process on an admin machine and then obtains higher local privileges, the path to credential theft and domain impact becomes shorter. That is true even in environments with credential protections, because real-world administrative sessions still create opportunities.
Remote Desktop infrastructure also deserves attention. Multi-user Windows systems are exactly where local privilege boundaries matter most. A vulnerability that lets one authorized local user elevate privileges can threaten other sessions, services, or the host itself.
Build systems and developer workstations are another quiet priority. They often run complex tools, third-party dependencies, local services, emulators, containers, and test harnesses. They are also attractive because compromising a build pipeline can create downstream trust problems far beyond the original host.
Servers that do not allow interactive logon by untrusted users may be lower immediate risk, but they should not be ignored. Many server compromises begin with a service account or application-level foothold. If that foothold can be converted into privileged local execution, segmentation and monitoring assumptions weaken.
The good news is that Windows Update should handle the relevant cumulative update for supported systems. The bad news is that many users delay restarts indefinitely, especially when updates arrive during work or gaming sessions. A downloaded but unapplied update does not protect the kernel.
Enthusiasts should also be careful with unofficial mitigation advice. Because the vulnerable component is core networking infrastructure, attempts to disable or tamper with it are more likely to break Windows than to provide a clean defense. The patch is the mitigation that matters.
Users on unsupported Windows versions face the familiar problem. If the operating system is outside support and not enrolled in any applicable extended update program, a confirmed kernel-adjacent bug becomes another reason to migrate. Security advice that amounts to “be careful” is thin protection against memory-corruption vulnerabilities in core OS components.
The practical consumer recommendation is straightforward: install the June 2026 security update, restart, and verify that Windows Update reports the system current. That will not make the machine invulnerable, but it removes this known path from an attacker’s toolbox.
When multiple flaws appear in the same subsystem at once, several explanations are possible. A researcher may have audited the component and reported a batch of related issues. Microsoft’s internal review may have found variants after fixing an initial report. Automated analysis may have identified a pattern. Or separate submissions may have converged on a historically bug-prone area.
Whatever the origin, defenders should think in terms of class risk. Use-after-free and race-condition vulnerabilities in kernel networking code are not cosmetic. They are signs of complex object lifetime and synchronization behavior under pressure, exactly the kind of area where patch completeness and variant analysis matter.
This also argues against cherry-picking concern only for CVE-2026-45598. If your estate is affected, the right response is not to track one CVE obsessively while ignoring the rest of the June kernel and networking fixes. The operating system is patched as a whole because the attack surface is used as a whole.
For security teams that report to management, the message should be concise: this is a vendor-confirmed local privilege escalation flaw in core Windows networking infrastructure, part of a broader Patch Tuesday cluster, and the available remedy is the June 2026 Windows security update.
Microsoft Confirms the Bug, but Not the Whole Shape of the Blast Radius
CVE-2026-45598 arrives as part of Microsoft’s June 2026 Patch Tuesday, a release large enough that any single vulnerability can disappear into the spreadsheet. That is the first trap. Local elevation-of-privilege flaws rarely generate the same alarm as wormable remote-code-execution bugs, yet they are often the second stage that makes intrusions durable.The advisory identifies the affected component as the Windows Ancillary Function Driver for WinSock, commonly associated with AFD.sys. In practical terms, this is kernel-mode infrastructure used by Windows networking. It is not an optional consumer feature or a niche enterprise add-on; it is part of the operating system’s everyday networking path.
Microsoft’s public description characterizes the issue as a use-after-free condition involving a race condition. That combination matters. A use-after-free bug means code may continue to reference memory after it should no longer be trusted. A race condition means the attacker’s opportunity may depend on timing, repeated attempts, or careful orchestration of competing operations.
The result, according to the advisory data now circulating through vulnerability databases, is local privilege escalation by an authorized attacker. That phrase narrows the scenario but does not make it comfortable. “Authorized” does not mean trusted in the way a domain admin is trusted; it can mean a low-privileged local account, a foothold obtained through phishing, a compromised browser process, or malware already running without administrative rights.
This is where Microsoft’s confidence language becomes more than boilerplate. The vulnerability is confirmed by the vendor, but the detailed exploit mechanics are not public. That creates a familiar Patch Tuesday asymmetry: defenders know enough to prioritize patching, while attackers know enough to begin diffing the patched binaries.
The “Important” Label Undersells the Way Attack Chains Actually Work
Microsoft’s severity taxonomy is useful, but it can distort attention. A Critical remote-code-execution bug screams for emergency handling because it can describe an attacker crossing the network boundary unauthenticated. An Important elevation-of-privilege bug sounds less immediate because it assumes the attacker is already somewhere inside the system.Modern intrusions do not respect that neat division. Endpoint compromise is often a chain, not a single event. A user opens a malicious file, a browser sandbox is escaped, a credential is phished, a service account is abused, and then the attacker needs one more step: kernel or SYSTEM-level control.
That is where vulnerabilities like CVE-2026-45598 become strategically valuable. They may not be the front door, but they can be the staircase. If an attacker can move from a constrained context to a privileged one, defensive boundaries that looked meaningful on paper begin to collapse.
For WindowsForum readers, the practical lesson is not to panic over every AFD.sys CVE. Microsoft has shipped many fixes for the component over the years, and not every one becomes a widely exploited weapon. The lesson is to treat local privilege escalation as a first-class patching concern, especially on systems exposed to untrusted users, shared workloads, remote access, developer tooling, or browser-heavy activity.
The June 2026 context also matters. This Patch Tuesday included multiple Windows security fixes, including several Ancillary Function Driver for WinSock entries. When one component shows up repeatedly in the same month, defenders should assume Microsoft has been working through a cluster of related bug classes or researcher submissions. That does not prove common exploitability, but it does suggest an area of the kernel networking stack that deserved sustained attention.
AFD.sys Is Not Glamorous, Which Is Exactly Why It Matters
The Ancillary Function Driver for WinSock is not a feature with a marketing page. It is plumbing. Windows software depends on it through the networking stack, and administrators generally encounter it only when something breaks, crashes, or appears in a security advisory.That invisibility is part of the risk. Components like AFD.sys are broadly present, deeply privileged, and difficult to meaningfully remove from a Windows estate. If a vulnerability affects supported Windows client and server versions, mitigation usually comes down to applying the cumulative update rather than toggling off a feature.
Kernel-mode networking components also sit at an awkward boundary. They process operations triggered by user-mode applications, but they execute with far greater authority. That is why memory-safety errors in this space can be so consequential. A bug that begins as mishandled object lifetime can, under the right circumstances, become control over privileged execution.
The advisory’s “use after free” language points to an object-lifetime problem. The “race condition” classification adds another layer: the vulnerable state may appear only when two or more operations interleave in a particular way. That can make exploitation less trivial than a clean linear overflow, but it does not make exploitation theoretical. Many serious Windows local privilege escalation exploits have depended on precisely this kind of timing-sensitive behavior.
It is also why exploit reliability is hard to infer from the advisory alone. A race can be flaky in a lab and reliable in the hands of a skilled exploit developer with enough retries, processor knowledge, and target-specific tuning. Defenders should avoid treating “race condition” as a synonym for “unlikely.”
Report Confidence Is High, Exploit Transparency Is Not
The user-supplied definition of the confidence metric is useful because it separates two things that are often blurred: confidence that a vulnerability exists, and confidence in the public technical detail about how it works. CVE-2026-45598 is not a rumor, a scraped crash report, or an unverified researcher claim. Microsoft has assigned and published the vulnerability in its Security Update Guide, which puts the existence of the issue on firm ground.That does not mean the public knows everything important. The root cause is described only at a category level: use-after-free, race condition, local elevation of privilege. There is no public proof of concept in Microsoft’s advisory, no step-by-step attack path, and no detailed explanation of which code path in AFD.sys mishandles lifetime or synchronization.
This distinction matters for both attackers and defenders. For defenders, high confidence in existence should drive patch urgency. For attackers, limited technical disclosure may slow the first wave of exploitation, but it will not prevent binary-diffing, patch analysis, or independent rediscovery.
The most honest reading is that CVE-2026-45598 has high vendor-confirmed existence confidence and moderate public technical-detail confidence. We know the component, impact, broad bug class, attacker position, and release date. We do not know the exploit primitive, reliability, affected internal function, or whether any private exploit already exists.
That makes the vulnerability serious without making it sensational. It is not currently framed as a publicly exploited zero-day. It is also not safe to ignore simply because it lacks a headline-grabbing exploit write-up.
The Attack Scenario Starts After the First Mistake
The likely attacker story for CVE-2026-45598 begins with a low-privileged foothold. That could be a malicious document, a user-space application exploit, stolen credentials, a compromised remote desktop session, or a local account on a shared machine. The vulnerability does not appear to give an unauthenticated remote attacker direct entry from the internet.But once the attacker is local, the value changes sharply. Privilege escalation can allow malware to disable security tools, dump credentials, tamper with logs, install kernel-adjacent persistence, or move laterally with better tokens. In enterprise terms, the original compromise may be noisy and contained; the privilege escalation is what turns it into a broader incident.
This is especially relevant for Windows servers that host many users or workloads. Remote Desktop Session Hosts, jump boxes, developer workstations, build agents, kiosks, shared lab machines, and virtual desktop infrastructure all magnify local privilege boundaries. If untrusted or semi-trusted users can execute code locally, elevation-of-privilege bugs become far more than theoretical.
The same logic applies to consumer systems, though the impact is usually framed differently. A home user may not care about “lateral movement,” but they should care if malware can move from a standard-user context to administrative or SYSTEM-level control. Once that happens, removal becomes harder and data exposure becomes more likely.
For administrators, the central question is not “Can this be exploited remotely?” The better question is: “Where do we allow untrusted code or low-trust users to run on Windows?” Those are the systems where CVE-2026-45598 should move up the queue.
Patch Tuesday’s Volume Is Becoming Its Own Risk
June 2026’s Patch Tuesday volume creates a management problem. When Microsoft ships fixes for hundreds of CVEs, security teams triage by severity, exploitation status, asset exposure, and operational risk. That is rational. It is also where bugs like CVE-2026-45598 can be deferred too easily.Elevation-of-privilege vulnerabilities often sit just below the emergency threshold. They are not always externally reachable. They may require authentication. They may not have public exploit code on day one. But attackers can use them to complete the very chains defenders are trying to break.
Microsoft’s monthly cumulative update model simplifies one part of the problem: you usually do not patch just CVE-2026-45598. You deploy the relevant June 2026 cumulative updates for affected Windows versions, test them against business-critical workloads, and monitor for regressions. The CVE is a reason to accelerate that process, not a standalone package to install.
That model is both a blessing and a curse. It reduces patch selection errors, but it also means organizations sometimes delay an entire cumulative update because of one compatibility concern. In a month with several kernel, networking, and privilege-related fixes, deferral becomes a larger security bet.
The better posture is staged urgency. Patch internet-facing and high-risk shared systems first, then privileged admin workstations, then broad client populations, then lower-risk servers according to change windows. Waiting for exploit code to appear before moving is not a strategy; it is a wager that attackers will be slower than your maintenance calendar.
The Missing Exploit Code Is a Temporary Comfort
There is no need to claim that CVE-2026-45598 is being actively exploited if Microsoft and public reporting do not say so. That restraint is important. The security industry has a bad habit of converting every local privilege escalation into a near-apocalyptic warning.But absence of known exploitation on disclosure day is not the same as low risk. Patch release gives researchers and adversaries a before-and-after snapshot. For Windows kernel bugs, diffing patched and unpatched binaries can reveal changed code paths, new checks, altered synchronization, or object-lifetime corrections.
The attacker’s work is harder when Microsoft withholds details, but it is not blind. The component is named. The bug class is named. The impact is named. The patch is available. That is enough to start looking.
This is why the report confidence metric should be read in operational terms. Confidence that the bug exists is high because Microsoft fixed it. Confidence that attackers already know the full technique is lower, at least publicly. But over time, that second confidence level tends to rise as patches are analyzed, proof-of-concept attempts circulate privately, and exploit developers test reliability across builds.
Defenders have a window in which the patch is more available than the exploit. The whole point of Patch Tuesday discipline is to use that window.
Enterprise IT Should Prioritize the Machines That Turn Local Bugs Into Domain Problems
Not every Windows endpoint deserves the same emergency treatment. The risk from CVE-2026-45598 depends heavily on who can run code on the system and what privileges the system can reach if compromised. A forgotten kiosk and a domain admin workstation are both Windows machines, but they are not equivalent security assets.Privileged access workstations should be near the front of the line. If an attacker compromises a standard process on an admin machine and then obtains higher local privileges, the path to credential theft and domain impact becomes shorter. That is true even in environments with credential protections, because real-world administrative sessions still create opportunities.
Remote Desktop infrastructure also deserves attention. Multi-user Windows systems are exactly where local privilege boundaries matter most. A vulnerability that lets one authorized local user elevate privileges can threaten other sessions, services, or the host itself.
Build systems and developer workstations are another quiet priority. They often run complex tools, third-party dependencies, local services, emulators, containers, and test harnesses. They are also attractive because compromising a build pipeline can create downstream trust problems far beyond the original host.
Servers that do not allow interactive logon by untrusted users may be lower immediate risk, but they should not be ignored. Many server compromises begin with a service account or application-level foothold. If that foothold can be converted into privileged local execution, segmentation and monitoring assumptions weaken.
Home Users Still Need the Fix, but the Story Is Simpler
For home users, CVE-2026-45598 is less about enterprise-style privilege boundaries and more about malware containment. If you run as a standard user, local privilege escalation vulnerabilities are one way malware escapes that restriction. If you run as an administrator, the practical difference may be smaller, but the underlying system still benefits from the patch.The good news is that Windows Update should handle the relevant cumulative update for supported systems. The bad news is that many users delay restarts indefinitely, especially when updates arrive during work or gaming sessions. A downloaded but unapplied update does not protect the kernel.
Enthusiasts should also be careful with unofficial mitigation advice. Because the vulnerable component is core networking infrastructure, attempts to disable or tamper with it are more likely to break Windows than to provide a clean defense. The patch is the mitigation that matters.
Users on unsupported Windows versions face the familiar problem. If the operating system is outside support and not enrolled in any applicable extended update program, a confirmed kernel-adjacent bug becomes another reason to migrate. Security advice that amounts to “be careful” is thin protection against memory-corruption vulnerabilities in core OS components.
The practical consumer recommendation is straightforward: install the June 2026 security update, restart, and verify that Windows Update reports the system current. That will not make the machine invulnerable, but it removes this known path from an attacker’s toolbox.
The Repetition Around AFD.sys Is the Bigger Signal
CVE-2026-45598 is not alone in the June 2026 AFD.sys cluster. Public Patch Tuesday roundups list multiple Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerabilities in the same release, including neighboring CVEs with similar descriptions. That repetition should not be overinterpreted as a single mega-bug, but it is a signal.When multiple flaws appear in the same subsystem at once, several explanations are possible. A researcher may have audited the component and reported a batch of related issues. Microsoft’s internal review may have found variants after fixing an initial report. Automated analysis may have identified a pattern. Or separate submissions may have converged on a historically bug-prone area.
Whatever the origin, defenders should think in terms of class risk. Use-after-free and race-condition vulnerabilities in kernel networking code are not cosmetic. They are signs of complex object lifetime and synchronization behavior under pressure, exactly the kind of area where patch completeness and variant analysis matter.
This also argues against cherry-picking concern only for CVE-2026-45598. If your estate is affected, the right response is not to track one CVE obsessively while ignoring the rest of the June kernel and networking fixes. The operating system is patched as a whole because the attack surface is used as a whole.
For security teams that report to management, the message should be concise: this is a vendor-confirmed local privilege escalation flaw in core Windows networking infrastructure, part of a broader Patch Tuesday cluster, and the available remedy is the June 2026 Windows security update.
The June AFD Fix Leaves Administrators With a Narrow but Useful Window
The best reading of CVE-2026-45598 is neither complacency nor panic. It is a confirmed local privilege escalation vulnerability in a core Windows component, with limited public technical detail and no clear public claim of active exploitation at disclosure. That combination gives defenders a chance to move before exploit maturity catches up.- Microsoft disclosed CVE-2026-45598 on June 9, 2026, as an Important Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability.
- The public technical description points to a use-after-free issue associated with a race condition.
- The attacker position is local and authorized, which makes the bug most dangerous after an initial foothold has already been obtained.
- Systems that allow untrusted users or untrusted code to run locally should be prioritized ahead of lower-exposure servers.
- The lack of public exploit detail should be treated as a temporary advantage for defenders, not as proof that exploitation will remain impractical.
- The safest mitigation is to deploy the relevant June 2026 Windows security updates and verify that affected machines have actually restarted into the patched build.
References
- Primary source: MSRC
Published: 2026-06-09T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: datacomm.com
- Related coverage: netservicesgroup.com
CVE-2026-20810 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability - Network Services Group
Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.www.netservicesgroup.com - Related coverage: rapid7.com
Rapid7
Rapid7's VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.www.rapid7.com - Related coverage: mindray.com
- Related coverage: nccgroup.com
- Related coverage: absolute.com
Loading…
www.absolute.com - Related coverage: bleepingcomputer.com
Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws
Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities.www.bleepingcomputer.com - Related coverage: stack.watch
- Related coverage: elevenforum.com
Microsoft June / July 2026 Security Updates
June 2026 Security Updates This release consists of the following 206 Microsoft CVEs: Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations? Nuance PowerScribe CVE-2026-26142 Microsoft Azure Kubernetes Service CVE-2026-32193 Microsoft Office SharePoint CVE-2026-33113...
www.elevenforum.com
