CVE-2025-53147
afd.sys — use-after-free allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | August 12, 2025 |
Root Cause
The AFD driver frees a socket-related object while a reference to it remains active. A subsequent operation dereferences the stale pointer into freed memory. The attacker reclaims that memory with controlled data.
Exploitation
The attacker triggers the UAF through a sequence of socket operations, then reclaims the freed memory with controlled data via heap spraying. The stale pointer dereference operates on the attacker's data, giving a kernel memory corruption primitive.
Exploitation Primitive
Socket operation sequence → premature free → stale reference
→ heap reclaim → kernel memory corruption → SYSTEM