CVE-2025-32709
afd.sys — use-after-free after socket closure allows SYSTEM escalation
Exploited in the Wild
Actively exploited zero-day targeting healthcare and government sectors since April 2025. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | May 13, 2025 |
Root Cause
After socket closure, afd.sys does not nullify pointers to freed memory blocks, leaving stale references accessible to concurrent operations. A low-privilege user can trigger the UAF to escalate to admin.
Linked to credential harvesting and ransomware campaigns targeting healthcare and government sectors.
Exploitation
Racing socket closure against pending I/O operations triggers the UAF. The freed socket memory is reclaimed with attacker-controlled data, and the stale dereference gives a kernel memory corruption primitive.
Exploitation Primitive
Socket closure race → UAF in afd.sys
→ heap reclaim → kernel memory corruption → SYSTEM