Improper access control in the Windows Ancillary Function Driver for WinSock allows a local attacker with authorized access to elevate privileges to system level. The weakness is a classic privilege‑escalation flaw (CWE‑284) where the driver fails to verify that the caller holds sufficient permissions before granting elevated rights. An attacker who can execute code in the context of a legitimate user could therefore run arbitrary code with full administrative privileges, potentially compromising system integrity and confidentiality.

Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Microsoft Windows 11 versions 23H2, 24H2, 25H2, 26H1 and 22H3; Microsoft Windows Server 2012 (including Server Core), 2012 R2, 2016, 2019, 2022 (including 23H2 edition) and 2025 (including Server Core). All processor architectures (x86, x64, arm64) are affected as documented by the vendor list.

The CVSS v3 score of 7.8 indicates a high‑severity vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no publicly confirmed exploits. The description specifies that only an authorized local attacker can exploit the flaw; thus the attack vector is local and this inference is drawn from the wording "authorized attacker". Remote exploitation is not supported by the current description.