Two-inch memory corruption has been identified in the Windows Ancillary Function Driver for WinSock. The flaw is a use‑after‑free scenario that can be triggered by an authorized local user. When exercised, the driver releases a pointer that may be reused by an attacker to execute code with elevated privileges, effectively bypassing the restrictions applied to the local account. The vulnerability is classified as a classic use‑after‑free (CWE‑416) and does not involve input validation or configuration errors. The impact is an escalation of privileges on the target machine, allowing an attacker to install software, manipulate system settings, or gain full control of the affected system.

Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Microsoft Windows Server releases 2012, 2012 R2, 2016, 2019, 2022, and 2025 are all affected. Both core and standard installations of the server editions are included. The flaw is tied to the Ancillary Function Driver bundled with the WinSock implementation in these OS releases.

The vulnerability receives a CVSS score of 7, indicating high severity. No EPSS value is reported, suggesting the current exploitation probability is unknown but could be significant due to the local nature of the flaw. The issue is not listed in CISA’s KEV catalog. An attacker needs local, authorized access to exploit the use‑after‑free; remote exploitation is not supported by the data. The risk is therefore high for systems where privileged accounts are widely available or poorly protected, but it requires that the attacker is already present on the machine.