The Windows Ancillary Function Driver for WinSock contains a type‑confusion flaw that can be triggered by an authorized local user. Exploitation of this bug bypasses intended authority boundaries and can grant SYSTEM‑level access. The weakness is a classic type‑confusion vulnerability (CWE‑416) that undermines memory safety within the driver and allows the attacker to execute arbitrary code with elevated privileges.

Affected installations include Microsoft Windows 10 editions from version 1607 through 22H2, Windows 11 releases 23H2, 24H2, 25H2, and 26H1, and the Windows Server line from 2012 through 2025 as well as the 23H2 edition. All of these systems run the AFD component for WinSock and therefore are susceptible to the privilege‑escalation condition described.

The CVSS score of 7.0 indicates a high impact severity, while the EPSS score is 0.00061 (i.e., < 1%) and the vulnerability is not listed in CISA's KEV catalog, suggesting that there has been no confirmed exploitation yet. An attacker would need local access and sufficient privileges to invoke WinSock functions that exercise the freed memory region; once achieved, the compromised process could acquire SYSTEM rights. Because this is a local privilege‑escalation scenario, the practical risk depends on the attacker’s initial foothold, but the ability to reach full control of the host makes it a high‑priority issue for internal security teams.