CVE-2025-21418
afd.sys -- heap-based buffer overflow allows SYSTEM escalation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | February 11, 2025 |
Root Cause
The Windows Ancillary Function Driver for WinSock (afd.sys) is one of the most battle-tested kernel components in Windows. It handles the kernel side of socket operations and is loaded on every Windows installation since the earliest NT versions. Despite decades of scrutiny, CVE-2025-21418 revealed a heap-based buffer overflow that was actively exploited as a zero-day.
The vulnerability occurs when afd.sys processes certain socket operations and copies data into a kernel heap buffer without properly validating the input length. The overflow corrupts adjacent allocations in the kernel pool. The bug affects an extraordinarily wide range of Windows versions, spanning 37 builds from Server 2008 R2 through Windows 11, suggesting the vulnerable code path has been present for over a decade.
The breadth of affected versions is notable. When a single bug spans from Server 2008 R2 to Windows 11, it indicates the vulnerability lives in core socket handling logic that has remained largely unchanged across major Windows releases. That stability is exactly what makes afd.sys an attractive target: exploit development done once works across the entire Windows installed base.
Exploitation
The attacker triggers the heap overflow through crafted socket operations. The overflow corrupts adjacent pool allocations, and the attacker uses pool spray techniques to control which kernel objects sit next to the vulnerable buffer.
Once a controlled object is corrupted, the attacker gains a kernel read/write primitive. From there, standard techniques (token swap, process privilege manipulation) escalate to SYSTEM. The entire attack is local: no network access is needed, just the ability to run code as any authenticated user.
Exploitation Primitive
Crafted socket operation --> heap buffer overflow in afd.sys
--> adjacent pool object corruption
--> kernel R/W primitive --> token swap --> SYSTEM
Broader Significance
afd.sys is a high-value target because it is universally present, reachable from any user, and handles complex data structures from user-mode input. CVE-2025-21418 joins CVE-2023-21768, CVE-2024-38193, and other afd.sys bugs in demonstrating that this driver remains a productive hunting ground. The 37-build blast radius made this zero-day particularly dangerous: a single exploit binary could compromise nearly any Windows system in production. For defenders, afd.sys patches should always be treated as urgent.