Use after free in the Windows Ancillary Function Driver for WinSock causes a local privilege escalation. An attacker with authorized access can manipulate the driver to execute code with elevated rights, potentially compromising the entire system. The flaw stems from race condition and dangling pointer issues (CWE‑362 and CWE‑416), allowing the driver to use freed memory.

All supported Windows 10 releases from version 1607 to 22H2, Windows 11 builds 23H2 through 26H1, and the Windows Server family including 2012, 2016, 2019, 2022, and 2025 (both normal and server core installations) are vulnerable. This includes both x86 and x64 architectures as well as ARM64 for the newer Windows 11 editions.

With a CVSS score of 7, the vulnerability is considered high severity, but no EPSS score is currently available and it is not listed in the CISA KEV catalog. The attack vector requires local, authenticated access, meaning that only users who have already logon privileges can exploit the flaw. Delivery of the exploit would involve an interaction with the driver, likely triggered by local instrumentation or malicious code running under the user’s rights.