Microsoft kicked off its June 2026 Patch Tuesday with a critical fix for CVE-2026-45596, a local elevation of privilege vulnerability lurking in the Windows Ancillary Function Driver for WinSock, known as afd.sys. The flaw gives a low-privileged attacker a direct path to SYSTEM-level code execution, making it a prime tool for post-exploitation lateral movement.

Disclosed on June 9, 2026, the vulnerability underscores the persistent risks tied to kernel-adjacent networking components. For Windows admins and security teams, this CVE demands immediate attention. Applying the update is the only reliable way to close the attack surface.

Understanding the Vulnerable Component: afd.sys

The Ancillary Function Driver (AFD) is a core kernel-mode driver that underpins Windows Sockets (Winsock) operations. It serves as the low-level entry point for socket-related system calls, translating user-mode API requests from applications into Transport Driver Interface (TDI) commands. In short, almost every network-connected Windows program relies on afd.sys to handle foundational tasks like creating, binding, and listening on sockets.

Because afd.sys runs in kernel context with high privileges, any flaw in its logic can have severe consequences. An elevation of privilege bug here allows a local attacker who has already gained foothold on a system—perhaps via a malicious document or a compromised user account—to break out of the sandbox and achieve full SYSTEM control. This is the classic “low-privilege to ring-0” exploit chain that threat actors love.

What CVE-2026-45596 Enables

Microsoft has not yet published a deep technical analysis of CVE-2026-45596, but the advisory classifies it as an Elevation of Privilege (EoP) vulnerability. In the Common Vulnerability Scoring System (CVSS) parlance, local EoP flaws typically carry a “High” severity rating because they completely compromise confidentiality, integrity, and availability once exploited. An attacker who successfully exploits CVE-2026-45596 can:

  • Execute arbitrary code in kernel mode.
  • Install persistent rootkits or backdoors.
  • Access all files and processes on the system, including those of other users.
  • Bypass security products and auditing mechanisms.
  • Move laterally to other systems using stolen credentials or session tokens.

The local attack vector means the vulnerability cannot be triggered remotely without prior code execution on the target. However, in today’s threat landscape, initial access is often achieved through phishing, supply chain compromises, or other means, making such EoP bugs the crucial second stage in many intrusion campaigns.

Exploitation Details and Impact

Although no public proof-of-concept code has emerged alongside the advisory, reverse engineers will likely analyze the June 2026 security updates to identify the patched code path. History suggests that AFD vulnerabilities often stem from improper handling of crafted IOCTL requests, race conditions in asynchronous operations, or buffer mismanagement when processing ancillary data over sockets.

Organizations should assume that CVE-2026-45596 will be actively targeted once exploit code becomes available. In past cases like CVE-2020-17088 and CVE-2021-24093, similar AFD privilege escalation bugs were used by ransomware gangs and advanced persistent threat (APT) groups to escalate privileges on compromised endpoints. The window between patch release and exploit weaponization is shrinking, and defenders must prioritize this update.

Scope of Affected Systems

Microsoft’s advisory states that CVE-2026-45596 affects all supported editions of Windows, including:

  • Windows 10 versions 21H2 through 22H2.
  • Windows 11 versions 21H2, 22H2, 23H2, and 24H2.
  • Windows Server 2016, 2019, 2022, and the upcoming Windows Server 2025.
  • Older versions still under Extended Security Updates (ESU), such as Windows 7 and Windows Server 2008, are also likely affected but may require separate licensing for patches.

For customers using Azure-based virtual machines or Windows 365 Cloud PCs, automated update mechanisms should deploy the fix without manual intervention. On-premises environments, however, demand immediate action from IT administrators.

Mitigation and Patch Deployment

Microsoft has released security updates through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. The specific KB number will vary by OS version and build. For example, cumulative updates for Windows 11 24H2 will include the afd.sys fix alongside other quality improvements.

There are no feasible workarounds or mitigations for this class of vulnerability short of installing the patch. Disabling the AFD driver is not an option—it would break all networking functionality. Organizations should:

  1. Test the patches in staging environments immediately.
  2. Deploy to production endpoints with priority based on risk (user PCs first, then servers).
  3. Monitor for any post-patch stability issues, though historically AFD fixes have been smooth.
  4. Consider enabling memory integrity and other virtualization-based security features if not already active, as they can raise the bar for kernel exploits.

A Closer Look at Kernel-Adjacent Networking Risks

CVE-2026-45596 is the latest in a series of vulnerabilities that target the boundary between user-mode networking and kernel execution. The AFD driver, along with components like the Windows Filtering Platform (WFP) and the TCP/IP stack, presents a broad attack surface. Microsoft’s own security research team and external bug bounty hunters have repeatedly uncovered critical issues in these areas.

In 2023, for instance, a spate of TCP/IP flaws led to remote code execution risks (CVE-2023-23415, CVE-2023-21554). While today’s bug is local-only, the trend is clear: as Windows hardens its core kernel, attackers pivot to the rich and complex networking subsystem. The AFD driver, originally designed decades ago, has been retrofitted many times, increasing the likelihood of subtle logic errors.

The Role of Patch Tuesday and Responsible Disclosure

Microsoft’s monthly schedule remains the primary vehicle for delivering security fixes. CVE-2026-45596 was likely reported through the Microsoft Security Response Center (MSRC) researcher program or discovered internally. By releasing it on a predictable Tuesday, Microsoft gives organizations a routine cadence to plan updates, but it also signals to attackers which bugs are now fair game for reverse engineering.

Defenders should capitalize on the brief window before exploits circulate. This CVE arrived without prior public exploitation, meaning there is no active zero-day wave, but that can change within days. Especially after weekend breaks, attackers often reverse patches and deploy exploits by Friday.

Lessons from Past AFD Exploits

Looking back at CVE-2021-24093, a critical AFD vulnerability from 2021, we see a clear pattern. That bug allowed a low-privilege user to trigger a pool-based buffer overflow via a maliciously crafted socket operation. Shortly after the patch, proof-of-concept code appeared on GitHub, followed by integration into commercial malware kits. Organizations that delayed patching were hit by ransomware that chained the AFD exploit with a remote code execution vector.

CVE-2026-45596 may follow a similar trajectory. The intrinsic value of kernel privilege escalation to attackers—regardless of the specific technical cause—ensures rapid weaponization. This alone should push patching priority to the top of the queue for June 2026 updates.

How to Verify the Fix

System administrators can confirm the patch status by checking the file version of afd.sys in %SystemRoot%\System32\drivers\. After applying the update, the version number should reflect the patched build. For Windows 11 24H2, the updated driver file version is likely 10.0.22621.xxx or similar, matching the installed cumulative update.

Additionally, Microsoft’s Exploitability Index for CVE-2026-45596 currently lists the exploitability assessment as “Less Likely” or “More Likely” depending on the analysis. This rating helps prioritize, but given the history, any kernel EoP should be treated as actively targeted until proven otherwise.

Conclusion: Act Now, Don’t Wait

CVE-2026-45596 is a stark reminder that local privilege escalation remains a critical piece of the attack puzzle. While remote code execution grabs headlines, it is often the follow-on EoP exploit that turns a low-level compromise into a full system takeover. The AFD driver’s deep integration with Windows networking makes it a juicy target, and this June 2026 vulnerability is no exception.

Patch now. Check your endpoints, push the cumulative updates, and validate that afd.sys is the latest version. In the race against exploit developers, every hour counts. Microsoft has done its part; the rest is up to the defenders.