CVE-2025-53147
afd.sys -- use-after-free allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | August 12, 2025 |
Root Cause
The Ancillary Function Driver for WinSock continues to be a rich source of use-after-free vulnerabilities. In CVE-2025-53147, the driver frees a socket-related internal object while a reference to that object remains active in another code path. The freed memory returns to the pool allocator, but the stale pointer persists.
The lifetime management issue follows a pattern seen repeatedly in afd.sys: socket operations involve multiple internal objects with interdependent lifetimes, and not all destruction paths properly account for outstanding references. In this case, a specific sequence of socket operations causes the driver to free an object that is still being referenced by a pending or in-progress I/O operation.
When the stale pointer is eventually dereferenced, it accesses memory that may have been reallocated to a different purpose, or that the attacker has reclaimed through heap spraying. The dereference operates on whatever data now occupies that memory region, giving the attacker control over kernel execution flow.
Exploitation
The attacker crafts a sequence of socket operations designed to trigger the premature free. The precise sequence matters: the operations must create the right interleaving of object creation, reference acquisition, and destruction to leave the dangling pointer.
After triggering the free, the attacker sprays the kernel heap to reclaim the freed allocation with controlled data. When the stale pointer is dereferenced by the pending I/O operation, it encounters the attacker's data rather than a legitimate socket object. The fake object's fields redirect kernel execution or corrupt adjacent data structures, yielding a kernel memory corruption primitive that escalates to SYSTEM.
Exploitation Primitive
Socket operation sequence -> internal object freed prematurely
-> stale reference persists -> pending I/O dereferences freed memory
-> heap reclaim with controlled data -> kernel corruption -> SYSTEM
Broader Significance
This is one of several afd.sys use-after-free vulnerabilities tracked in KernelSight (alongside CVE-2025-53718, CVE-2025-60719, and CVE-2025-62213). The recurring pattern suggests that the driver's internal object lifecycle management has systemic gaps. Each fix addresses a specific code path, but the underlying complexity of managing socket object lifetimes across concurrent operations continues to produce new instances of the same vulnerability class.