CVE-2025-49661
afd.sys -- untrusted pointer dereference allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Untrusted Pointer Dereference |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | July 8, 2025 |
Root Cause
The Ancillary Function Driver for WinSock (afd.sys) is the kernel-mode half of the Windows networking stack, responsible for translating user-mode socket API calls into kernel operations. It processes a high volume of user-supplied data on every Windows system, making it a frequent target for vulnerability research.
In this case, the driver takes a pointer value from user-supplied input during a WinSock operation and dereferences it in kernel context without first validating that it points to a legitimate kernel object. The pointer arrives through the normal IOCTL path for socket operations, and the driver trusts it implicitly. By controlling the pointer value, an attacker controls where the kernel reads from or writes to, depending on the specific code path triggered.
ZeroPath published an analysis detailing how the untrusted pointer reaches a dereference site without passing through any validation or probing. The vulnerability is reachable from any local user account with the ability to create sockets, which is the default for all interactive users on Windows.
Exploitation
An attacker crafts a WinSock operation that passes a controlled pointer value to afd.sys. The kernel dereferences this pointer, giving the attacker either a read or write primitive depending on which internal code path processes it.
With a write primitive, the attacker can directly corrupt kernel objects. With a read primitive, the attacker can leak kernel addresses to defeat KASLR. In either case, chaining with heap spraying to control the memory layout around the target address yields a reliable SYSTEM escalation. The AFD driver processes socket operations in the NonPagedPoolNx, and standard pool grooming techniques apply.
Exploitation Primitive
Crafted WinSock operation -> untrusted pointer passed to afd.sys
-> kernel dereference at attacker-controlled address
-> read/write primitive -> heap spray -> SYSTEM
Broader Significance
afd.sys has a long history of exploitable vulnerabilities, from CVE-2023-21768 through CVE-2025-21418 and now CVE-2025-49661. The driver's position as the mandatory intermediary between user-mode sockets and the kernel network stack means every Windows machine runs it, and every local user can reach it. Untrusted pointer dereferences are among the simplest vulnerability classes to exploit when they occur in kernel code, because the attacker directly controls the target address without needing to win a race or shape a heap layout.