CVE-2025-49661
afd.sys — untrusted pointer dereference allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Untrusted Pointer Dereference |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | July 8, 2025 |
Root Cause
The AFD driver dereferences a user-supplied pointer in a kernel-mode code path without validating it. A local attacker gets a controlled pointer dereference primitive that corrupts kernel memory.
Exploitation
The attacker passes a crafted pointer through a WinSock operation. The kernel dereferences the untrusted pointer, giving a write or read primitive depending on the code path. Chaining with heap spraying yields SYSTEM.
Exploitation Primitive
Crafted WinSock operation → untrusted pointer dereference
→ kernel memory corruption → SYSTEM