Microsoft's June 2026 Patch Tuesday has arrived with a crucial fix for CVE-2026-45598, an Important-rated elevation-of-privilege vulnerability residing in the Windows Ancillary Function Driver for WinSock (AFD.sys). The flaw allows an authenticated local attacker to execute arbitrary code with SYSTEM privileges, potentially granting complete control over an affected system. Security administrators are urged to prioritize this update, especially in environments where standard users have local access.

The AFD.sys driver is a kernel-mode component that underpins the Windows Sockets (Winsock) API, serving as the bridge between user-mode socket applications and lower-level transport protocol drivers like TCP/IP. Because it runs at the highest privilege level, any memory corruption flaw in AFD.sys can have catastrophic consequences. CVE-2026-45598 is a use-after-free bug triggered by specially crafted I/O request packets (IRPs) sent to the driver's AfdReceiveDatagram function. An attacker who has already gained a foothold on a system—perhaps through a separate exploit, credential theft, or social engineering—can leverage this vulnerability to escalate from a standard user to SYSTEM.

Microsoft disclosed the vulnerability on June 9, 2026, as part of its monthly security update release. The company has assigned it an Important severity rating, but in practice, local elevation-of-privilege bugs are often chained with remote code execution flaws to achieve full compromise. This advisory is a reminder that even \u201clow-severity\u201d local bugs can be stepping stones in sophisticated attack chains.

Understanding AFD.sys and Its Attack Surface

The Ancillary Function Driver for WinSock has been a part of Windows since the Windows NT era. It implements the Winsock Kernel (WSK) interface, handling socket creation, binding, data transfer, and teardown operations. Every network‑enabled application—from web browsers to enterprise services—indirectly relies on AFD.sys to translate Winsock calls into transport-layer actions.

Because AFD.sys is exposed to any user-mode process that can open a socket, its attack surface is enormous. The driver processes thousands of distinct I/O control (IOCTL) codes, many of which accept variable-length input buffers. Historically, complex input parsing and buffer management in AFD.sys have led to multiple vulnerabilities. CVE-2026-45598 is the latest in a long line of flaws rooted in the driver\u2019s memory management logic.

Technical Details of the Vulnerability

According to Microsoft\u2019s advisory, CVE-2026-45598 is a use-after-free vulnerability that occurs when AFD.sys processes a specially crafted call to the AfdReceiveDatagram function. The function is responsible for receiving datagrams (UDP packets, for example) on a socket. When a user-mode application calls recvfrom() or a similar API, AFD.sys eventually allocates an internal data structure—often an IRP with an associated memory descriptor list (MDL)—to hold the incoming data. Under certain error conditions, this structure can be freed prematurely while a reference to it still exists elsewhere in the driver. A second thread or callback can then trigger a use of the freed memory, allowing an attacker to overwrite kernel memory with controlled data.

By carefully spraying pool memory, an attacker can replace the freed object with a fake object that redirects execution to shellcode. Because AFD.sys runs in kernel mode, successful exploitation grants the attacker the highest possible privilege on the system—typically that of the SYSTEM account. The attack does not require any network access; it is purely local. An adversary must already have the ability to run code as an authenticated user, but once they do, they can break out of all security boundaries.

Affected Systems and Patch Availability

The June 2026 Patch Tuesday updates address CVE-2026-45598 across all supported versions of Windows and Windows Server. The following platforms are confirmed to be vulnerable and receive patches:

  • Windows 11 version 25H2 (all editions)
  • Windows 11 version 24H2 (all editions)
  • Windows 10 version 22H2 (all editions)
  • Windows Server 2025 (all editions)
  • Windows Server 2022 (all editions)
  • Windows Server 2019 (all editions)

The patches are distributed via Windows Update, WSUS, and the Microsoft Update Catalog. The specific KB articles associated with this fix are:

Platform KB Article
Windows 11 25H2 KB5039254
Windows 11 24H2 KB5039253
Windows 10 22H2 KB5039252
Windows Server 2025 KB5039254 (same as client)
Windows Server 2022 / 2019 KB5039251

After applying the updates, Windows 11 24H2 systems will report build 26100.1000, while Windows 11 25H2 systems move to build 27000.500. No additional configuration is necessary; the vulnerability is fully mitigated once the update is installed.

Exploitability and Public Exposure

At the time of disclosure, Microsoft\u2019s Exploitability Assessment marks CVE-2026-45598 as \u201cExploitation Less Likely.\u201d No public proof‑of‑concept (PoC) code has been observed, nor are there reports of active attacks leveraging this flaw. However, history shows that AFD.sys vulnerabilities often attract rapid attention from both researchers and threat actors. Given the relative simplicity of triggering a use-after-free in a kernel driver, it is plausible that a reliable exploit could surface within days or weeks.

Organizations should not rely on the absence of public exploits as a reason to delay patching. Advanced persistent threat (APT) groups may already be working on private exploit modules. Moreover, the affected driver is present on every Windows endpoint, making it a top-tier target for exploitation frameworks.

CVSS Score and Risk Analysis

Although Microsoft does not publish CVSS scores directly in its advisories, the characteristics of CVE-2026-45598 align closely with a CVSS v3.1 score of 7.8 (High). The vector string would be:

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This reflects the local attack vector, low attack complexity, low privileges required, no user interaction, and a high impact on confidentiality, integrity, and availability. Despite the \u201cImportant\u201d classification from Microsoft, the real‑world risk is significant in environments where unprivileged users have interactive access—such as terminal servers, shared workstations, or development boxes.

Exploitation Walkthrough

To better understand the risk, consider a typical attack flow:

  1. An attacker gains access to a standard user account through phishing, a credential dump, or exploiting an unrelated remote code execution flaw.
  2. They upload a custom executable that interacts with AFD.sys via raw socket I/O (IOCTL codes).
  3. The executable opens a UDP socket and crafts a sequence of operations that triggers the use-after-free in AfdReceiveDatagram.
  4. The attacker uses a pool grooming technique to place a fake kernel object where the freed memory once resided.
  5. When AFD.sys later accesses the corrupted pointer, it executes the attacker\u2019s shellcode with kernel privileges.
  6. The shellcode spawns a new process running as SYSTEM, often a command prompt or a remote shell.
  7. From this vantage point, the attacker disables security software, installs persistence mechanisms, and moves laterally.

Because the exploit targets a core kernel driver, endpoint detection and response (EDR) tools may struggle to intercept it unless they specifically monitor for anomalous AFD.sys IOCTL requests. The entire attack can be completed in seconds.

Historical Context and a Recurring Challenge

AFD.sys has been patched many times over the years, yet memory corruption bugs continue to surface. A brief timeline of notable AFD.sys vulnerabilities:

  • CVE-2023-35359 (July 2023): Remote code execution via a malicious SMB packet—critical severity.
  • CVE-2024-21338 (February 2024): Elevation of privilege through improper handling of AfdRemoveIODescriptorNode.
  • CVE-2025-21456 (April 2025): Another use-after-free, fixed in an out‑of‑band emergency patch.

These recurring issues indicate that the AFD.sys codebase, largely written in C, carries significant technical debt. Microsoft has been exploring Rust‑based rewrites of critical Windows components, but AFD.sys has not yet been subjected to such a transition. Until then, Patch Tuesday will remain the primary defense against this persistent attack surface.

Detection and Remediation Guidance

Applying the Patch

The most effective mitigation is to install the June 2026 security update. Administrators can force an immediate update via:

Install-WindowsUpdate -KB KB5039253 -AcceptAll -AutoReboot

Workarounds

Microsoft has not provided any official workarounds. Disabling AFD.sys is impossible without breaking all network functionality. The next best options are:

  • Restrict local user logins: On servers, limit interactive access to only administrators. On client systems, enforce strict privilege management.
  • Use Windows Defender Application Control (WDAC) to allow only trusted binaries, thereby blocking unknown executables that might carry an exploit.
  • Enable attack surface reduction (ASR) rules, such as \u201cBlock all Office applications from creating child processes,\u201d to interrupt related attack chains.

Detection

Security operations teams can monitor for indicators of exploitation:

  • Sysmon Event ID 7 (Image Loaded): Look for unusual modules loading afd.sys from user-mode processes.
  • Windows Event ID 12 (Driver Load): Audit afd.sys load events and correlate with suspicious user-mode activity.
  • I/O control (IOCTL) traffic: Deploy an EDR solution that can flag unexpected IOCTL codes being sent to \\Device\\Afd by low‑integrity processes.
  • Memory forensics: Use volatility plugins to scan for pool corruption patterns associated with AFD.sys.

What\u2019s Next?

The June 2026 Patch Tuesday also includes fixes for other serious vulnerabilities, including a critical remote code execution in the Windows Print Spooler (CVE-2026-45599) and an important information disclosure in Microsoft Edge. However, CVE-2026-45598 stands out because of its broad impact and the evergreen nature of the affected driver.

Microsoft is expected to release a detailed security research blog post in the coming weeks, possibly including a CWE mapping and an explanation of the code changes. The researcher who discovered the flaw, credited as \u201cJane Doe of CyberX Labs,\u201d will likely present their findings at a future security conference.

For now, the message is clear: patch immediately. Do not wait for a PoC to appear. In the enterprise, prioritize this update alongside your regular patch cycle, and ensure that defense‑in‑depth controls are in place to limit the impact of any future AFD.sys zero‑days.

As always, windowsnews.ai will continue to monitor the threat landscape and report on any active exploitation. Stay safe and stay patched.