Microsoft has released a security update to address a critical elevation-of-privilege vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), tracked as CVE-2026-45603. The vulnerability was disclosed through the Microsoft Security Response Center (MSRC) Security Update Guide on June 9, 2026, as part of the monthly Patch Tuesday rollout.
This flaw, rated as Important, could allow an authenticated attacker to gain SYSTEM-level privileges on a vulnerable machine. Given the widespread use of AFD.sys in facilitating Windows socket operations, the potential impact spans both client and server editions of Windows. Here's what you need to know, how the exploit works, and why applying the patch immediately is non-negotiable.
What Is AFD.sys and Why Does It Matter?
AFD.sys, short for Ancillary Function Driver for WinSock, is a kernel-mode driver that handles network socket operations in Windows. It sits between the WinSock user-mode API and the TCP/IP stack, translating application requests into kernel-level network actions. Every connection your browser, email client, or even Windows Update makes funnels through this driver.
Because it operates at kernel level, a vulnerability in AFD.sys can be catastrophic. If an attacker can exploit a flaw in the driver, they can jump from a low-privileged account—say, a standard user—to the highest possible privileges (SYSTEM), effectively taking full control of the machine. This is known as local privilege escalation (LPE).
CVE-2026-45603: The Vulnerability Breakdown
While Microsoft hasn't released full technical details to prevent exploitation before systems are patched, the MSRC advisory indicates the issue stems from improper handling of objects in memory by AFD.sys. Such vulnerabilities are often categorized as "use-after-free" or "buffer overflow" flaws, both common in kernel drivers.
To exploit CVE-2026-45603, an attacker must first gain a foothold on the target system—typically through malware, phishing, or even by having physical access. Once they have a low-integrity code execution, they can run a specially crafted program that triggers the vulnerability, corrupting kernel memory to escalate to SYSTEM. From there, they can disable security software, install rootkits, or exfiltrate sensitive data.
Discovery and Responsible Disclosure
The vulnerability was reported to Microsoft by an unnamed security researcher through the MSRC coordinated vulnerability disclosure program. Microsoft's advisory (available on the MSRC portal) credits the finder, though no further research details have been published as of this writing. This closed-door approach is standard to prevent malicious actors from weaponizing the bug before patches roll out.
Affected Windows Versions
According to the MSRC Security Update Guide, the following configurations are confirmed vulnerable:
- Windows 10 (multiple editions)
- Windows 11 (all versions)
- Windows Server 2022, 2019, and 2016
- Older, still-supported versions like Windows 10 LTSC
If you manage air-gapped systems or devices running older Windows builds, check the official advisory—some editions have reached end of service and will not receive a fix. Microsoft strongly recommends upgrading unsupported systems to a supported version.
CVE-2026-45603 Exploitability Assessment
The MSRC rates the exploitation of CVE-2026-45603 as "Less Likely" based on the current analysis. However, this classification doesn't mean you can take your time. The rating reflects factors like the complexity of crafting a reliable exploit and the requirement for local access. Even so, once a proof-of-concept appears—often within days of a patch—attackers can weaponize it quickly.
LPE bugs are particularly dangerous in multi-user environments, such as terminal servers, Azure virtual machines, or corporate workstations where multiple employees can log in. A single unpatched host can become the starting point for lateral movement across an entire network.
How to Protect Your Systems
1. Apply the June 2026 Security Update Immediately
The fix for CVE-2026-45603 is bundled in the June 9, 2026 cumulative update for Windows. For most users, this is delivered via Windows Update. Enterprise administrators should deploy the patch through WSUS, Microsoft Endpoint Configuration Manager, or their preferred patch management tool.
Important: A reboot is required. Plan for downtime accordingly.
2. Verify Patch Installation
After updating, confirm the patch took effect. Open PowerShell or Command Prompt as an administrator and run:
wmic qfe list brief /format:texttable
Locate the KB number associated with the June 2026 update.
Alternatively, check the Update History in Settings → Windows Update. The specific KB will be listed in the MSRC advisory—always cross-reference.
3. Limit Local Access
Since exploitation requires local access, enforce the principle of least privilege across user accounts. Remove unnecessary admin rights, disable unused local accounts, and employ multi-factor authentication for interactive logins.
4. Monitor Suspicious Activity
Enable Windows Defender for Endpoint or an equivalent endpoint detection and response (EDR) solution. Look for abnormal process chains involving afd.sys or unexpected elevation attempts. The following event IDs may indicate an exploit attempt:
- 4688 (process creation) with unusual parent-child relationships.
- 4104 (PowerShell script block logging) for in-memory shellcode.
- 5156 (Windows Filtering Platform) for unexpected outbound connections post-escalation.
5. Consider Additional Mitigations
If you cannot patch immediately, Microsoft may offer temporary workarounds in the advisory—though none were listed at the time of publication. In extreme cases, restricting access to the afd.sys driver via software restriction policies can offer partial mitigation, but this might break networking functionality. Always test in a staging environment.
Historical Context: AFD.sys as a Persistent Attack Surface
CVE-2026-45603 isn't an outlier. The AFD driver has been a popular target for privilege escalation exploits over the years:
- CVE-2020-17088 — An elevation-of-privilege vulnerability in AFD.sys patched in October 2020, known to be exploited in the wild.
- CVE-2021-24084 — An information disclosure flaw in AFD.sys that, while less severe, could aid in more complex attack chains.
- CVE-2022-24521 — A recent LPE in the kernel’s ancillary function driver patched in April 2022.
Each incident highlights the delicate balance between performance and security in kernel-level drivers. Because AFD.sys must handle thousands of simultaneous network operations with minimal latency, even minor coding errors can spawn severe consequences.
Industry Response and User Sentiment
On social media and IT forums, the CVE has sparked the usual mix of concern and frustration. Many system administrators point out that June's patch load is already heavy, with other critical updates for Edge and MSHTML. Some question why a six-year-old driver component continues to harbor such bugs.
One comment on the Windows Forum summed it up: "AFD.sys again? We just patched this in 2022. Microsoft needs to invest in rewriting legacy drivers instead of slapping band-aids on them."
Others, however, praised the quick turnaround from disclosure to patch. "At least this wasn't a zero-day," noted a moderator in the same thread. "We have time to test and deploy before the bad guys catch on."
What’s Next?
As of June 10, 2026, no weaponized exploit code has been sighted in the wild. However, reverse engineering of the patch will likely start within days. Once a proof-of-concept is public, even script kiddies can leverage it in malware campaigns.
Microsoft has committed to re-examining the entire WinSock driver stack for similar vulnerabilities following this report—an encouraging sign. In the meantime, the burden falls on customers to patch thoroughly and swiftly.
For IT departments, the routine is familiar but no less critical: test the update on a subset of machines, verify business-critical applications remain functional, and then roll out en masse. The window between patch release and active exploitation grows smaller each year; lagging can mean the difference between a secure network and a compromise.
For the average Windows user, the guidance is simple: hit Check for Updates, install everything, and reboot. Don't dismiss that persistent notification. The inconvenience of a restart pales next to the nightmare of a privilege escalation attack that hands control of your PC to an intruder.
Final Verdict
CVE-2026-45603 underscores the enduring dangers lurking in legacy kernel drivers. While not yet actively exploited, the severity and privileged nature of AFD.sys make this a patch-now situation. Stay informed via the MSRC portal, and apply June 2026 updates without delay.