Microsoft Patches High-Severity afd.sys Race Condition Allowing Local Privilege Escalation (CVE-2026-32073)
Microsoft has released a security update for CVE-2026-32073, a CVSS 7.8 race condition in the afd.sys driver that lets low-privileged attackers gain kernel-level code execution on Windows.
Microsoft has issued a security update to address CVE-2026-32073, a high-severity local privilege escalation vulnerability in the Windows afd.sys driver. The flaw, disclosed on April 15, 2026, by the Zero Day Initiative (ZDI-26-277), carries a CVSS score of 7.8 and allows an attacker with low-privileged code execution to escalate privileges to the kernel level, enabling arbitrary code execution.
The vulnerability stems from a race condition caused by improper locking when the afd.sys driver performs operations on an object. The afd.sys driver is a core component of the Windows networking stack, responsible for handling Winsock Kernel (WSK) operations. The race condition can be triggered locally, meaning an attacker must first gain the ability to execute low-privileged code on the target system—for example, through a separate vulnerability or by having a user account on the machine.
Successful exploitation grants the attacker SYSTEM-level privileges, effectively giving them full control over the affected Windows system. With kernel access, an attacker can disable security software, install persistent backdoors, steal sensitive data, or pivot to other systems on the network. The vulnerability affects all supported versions of Windows, though Microsoft has not specified which builds are impacted.
Microsoft has released a security update as part of its April 2026 Patch Tuesday cycle. The update is available through the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32073. Administrators and users are strongly advised to apply the patch immediately, especially on systems where untrusted users have local access, such as in enterprise environments or multi-user servers.
The vulnerability was reported to Microsoft on January 12, 2026, by an anonymous researcher. The coordinated disclosure followed a three-month window, culminating in the public advisory on April 15. No evidence of in-the-wild exploitation has been reported at the time of disclosure, but the detailed advisory and high CVSS score make it a likely target for threat actors seeking to chain it with other exploits.
This vulnerability is part of a broader trend of privilege escalation flaws in Windows kernel drivers. Recent months have seen similar issues in the Windows kernel, including the "MiniPlasma" zero-day exploit that also grants SYSTEM access. Microsoft continues to harden its kernel drivers, but race conditions remain a persistent challenge due to the complexity of concurrent operations in the Windows kernel.
Organizations should prioritize patching CVE-2026-32073, particularly on domain controllers, file servers, and other systems where local privilege escalation could lead to lateral movement or data compromise. As always, maintaining the principle of least privilege and monitoring for unusual kernel-level activity can help mitigate the risk of exploitation.