The vulnerability is a use‑after‑free in the Windows Ancillary Function Driver for WinSock. The flaw enables an authorized attacker running on a local machine to call the driver in a way that dereferences freed memory. Because the driver performs privileged operations, the attack can lead to unauthorized elevation of privileges and execution of code with system rights. This introduces a full compromise of confidentiality, integrity, and availability for the compromised host.

Affected systems include various Windows desktop and server releases: Windows 10 starting from version 1607 up to the latest 22H2, Windows 11 versions 23H2, 24H2, 25H2, 26H1 and 22H3, as well as Windows Server 2012 (including core), 2012 R2, 2016, 2019, 2022 and the Upcoming 2025 editions. Clients that are local administrators or have the ability to load drivers are at risk.

The CVSS score of 7 indicates Medium severity for local privilege escalation. The EPSS score below 1% suggests a low probability of exploitation in the wild at present. Although the vulnerability is not listed in the CISA KEV catalog and no widely dispersed exploit has been observed, the local nature of the attack and the high impact of privilege escalation make remediation a priority. An attacker must already have local access or be able to execute code on the target; once this condition is met, the exploit path is relatively straightforward through a carefully crafted WinSock call sequence to trigger the use‑after‑free.