CVE-2025-21418
afd.sys — heap-based buffer overflow allows SYSTEM escalation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | February 11, 2025 |
Root Cause
Heap-based buffer overflow in the Windows Ancillary Function Driver for WinSock. A local authenticated attacker triggers the overflow to corrupt adjacent heap objects and escalate to SYSTEM. Affects 37 Windows builds from Server 2008 R2 through Windows 11.
Exploitation
The heap overflow corrupts adjacent pool allocations. An attacker hijacks control flow or manipulates kernel data structures to escalate privileges.
Exploitation Primitive
Heap buffer overflow in afd.sys → adjacent pool corruption → SYSTEM