July 8, 2026 Stories worth reading. Perspectives worth sharing.
CVE-2026-45638: Windows Ancillary Function Driver for WinSock EoP — Informational Update, No Immediate Risk, But Stay Vigilant
Cybersecurity

CVE-2026-45638: Windows Ancillary Function Driver for WinSock EoP — Informational Update, No Immediate Risk, But Stay Vigilant

Mo Wasay July 7, 2026 5 min read
CVE-2026-45638: Windows Ancillary Function Driver for WinSock EoP — Informational Update, No Immediate Risk, But Stay Vigilant

THREAT BRIEF

On June 2024, Microsoft revised advisory CVE-2026-45638 for the Windows Ancillary Function Driver for WinSock (afd.sys), a critical system-level component enabling network socket operations. The change is informational only: no new vulnerability, patch, or exploitation details. Instead, Microsoft updated the list of acknowledgements — which typically signals credit given to researchers or parties who originally reported the issue. The underlying threat remains relevant: attackers exploiting privilege escalation flaws in afd.sys can gain SYSTEM-level access, bypassing standard controls.

WHAT CHANGED IN THIS RELEASE / ADVISORY

  • Versions affected: As per Microsoft’s advisory, recent Windows builds (Windows 10, 11, Server 2016/2019/2022) are in scope, but no new builds were added or removed in this update.
  • Exact CVE addressed: CVE-2026-45638 (Elevation of Privilege; Ancillary Function Driver for WinSock).
  • Behavioural differences: The only change is the acknowledgement update — no functional, patch, or exploit vector changes.

Practitioners should note this is not a new vulnerability or an urgent patch; it is a documentation change. However, afd.sys has a history of privilege escalation flaws, making it a perennial target for attackers seeking local SYSTEM access.

SCOPE & IMPACT

All supported Windows desktop and server platforms utilizing the Ancillary Function Driver for WinSock are exposed to privilege escalation if a relevant flaw is discovered or exploited. This includes:

  • Windows 10 (all supported branches)
  • Windows 11
  • Windows Server 2016, 2019, 2022

Any system running third-party applications or scripts capable of executing local code could potentially be leveraged in EoP scenarios if afd.sys is vulnerable — particularly as the driver operates with SYSTEM privileges.

HOW IT WORKS

afd.sys manages socket-level communications and exposes privileged operations to user mode via documented and undocumented interfaces. Historically, attackers have abused race conditions, buffer overflows, or improper access checks in this driver to elevate privileges. Exploitation typically requires local code execution — often via a compromised user or service account — and then leverages the driver’s vulnerability to gain SYSTEM rights.

In the context of CVE-2026-45638, no new technical details or exploit primitives are disclosed. However, the historical threat persists: any local privilege escalation flaw in afd.sys is dangerous due to its wide deployment and high privilege level.

DETECTION

While no new vulnerability is released, practitioners should audit their systems for the presence and version of afd.sys, and check patch status. Here’s a PowerShell snippet to enumerate afd.sys versions and validate against installed security updates:

try {
    $afdPath = "$env:windir\System32\drivers\afd.sys"
    if (Test-Path $afdPath) {
        $afdVersion = (Get-Item $afdPath).VersionInfo.FileVersion
        Write-Output "afd.sys version: $afdVersion"
        # Check for latest patch status
        $patches = Get-HotFix | Where-Object {$_.Description -like "*Security Update*"}
        $afdPatched = $patches | Where-Object { $_.HotFixID -match "KB" }
        if ($afdPatched) {
            Write-Output "Security patches detected:"
            $afdPatched | Select HotFixID, InstalledOn | Format-Table -AutoSize
        } else {
            Write-Output "No security patches detected for afd.sys."
        }
    } else {
        Write-Output "afd.sys not found. System may not be exposed."
    }
} catch {
    Write-Error "Error auditing afd.sys: $_"
}

This script audits the afd.sys driver version and reviews security update status, enabling teams to baseline their exposure.

REMEDIATION

Given this is an informational update, no new patch or remediation is required. However, practitioners should:

  • Validate that systems are running the latest cumulative security updates for their OS branch.
  • Monitor afd.sys version for deviations from baseline (unexpected changes may signal compromise or unofficial driver replacement).
  • Review endpoint privilege escalation detections and ensure that local EoP threats are prioritized in XDR/SIEM policies.

For ongoing hardening:

  • Restrict local admin access and monitor for privilege escalation attempts.
  • Apply least privilege to all accounts and applications.
  • Enable kernel-mode driver signing enforcement (Device Guard, Secure Boot) where possible.

All remediation actions are non-destructive and can be performed in dry-run/reporting mode.

WHAT’S COMING

Microsoft typically releases security patches for kernel-mode drivers (including afd.sys) in the monthly Patch Tuesday cycle. No new fix is scheduled for CVE-2026-45638 as of this update. Practitioners should:

  • Monitor MSRC for future advisories related to afd.sys, privilege escalation, or local exploit chains.
  • Prepare for rapid patch deployment in future cycles, especially if a new EoP flaw is publicly disclosed or exploited.
  • Continue prioritizing kernel-mode driver vulnerabilities in risk assessment and patch management workflows.

TREND CHECK

Privilege escalation flaws in Windows kernel drivers — especially afd.sys — have remained steady in frequency over the past two years. While Microsoft’s security posture is improving (fewer high-severity EoP bugs, faster patch turnaround), kernel drivers remain a top target for both financially motivated and APT actors. Recent campaigns (notably, QakBot, LockBit) have leveraged local privilege escalation to bypass EDR and deploy ransomware. The informational nature of this update suggests improved transparency, but practitioners should not relax vigilance. The threat class is steady, not declining.

RELATED THREATS & CAMPAIGNS

Recent advisories for Windows kernel drivers (e.g. CVE-2024-26231, CVE-2024-30020) highlight continued interest from attackers in local privilege escalation. No active exploitation is reported for CVE-2026-45638, but defenders should assume that kernel driver vulnerabilities are always in scope for post-compromise escalation.

MITIGATION PRIORITY

Priority: Next patch cycle. Since the update is informational and no new exploit or patch is present, treat this as part of ongoing hygiene. Review afd.sys baseline, validate patch status, and ensure your detection controls for local EoP remain current. Escalate urgency if new exploit details emerge or if the vendor releases a functional patch.

Practitioner’s verdict: This is not an immediate threat, but kernel driver privilege escalation remains a perennial risk. Maintain vigilance, baseline afd.sys, and monitor MSRC for any new actionable updates.