CVE-2025-53718
afd.sys -- use-after-free during socket teardown allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | August 12, 2025 |
Root Cause
Socket teardown is one of the most treacherous code paths in afd.sys. When a socket is being destroyed, the driver must release all internal objects associated with that endpoint while ensuring that no concurrent operation is still using them. CVE-2025-53718 exists because this serialization is incomplete.
The vulnerability triggers when socket teardown frees an internal object while a concurrent I/O operation on the same socket still holds a reference to it. The teardown path proceeds without waiting for the outstanding operation to complete. The I/O operation's subsequent dereference of the freed object hits memory that has been returned to the pool allocator.
This is distinct from CVE-2025-60719 (which specifically involves the unbind path) and CVE-2025-53147 (which involves a different socket operation sequence), but the underlying pattern is the same: afd.sys manages complex object lifetimes across concurrent code paths, and gaps in the serialization logic lead to use-after-free conditions.
Exploitation
The attacker creates a socket and initiates I/O operations that will outlive the socket itself. By carefully timing a socket close against pending I/O, the attacker causes the teardown path to free objects that the I/O path still references.
Once the free occurs, the attacker sprays the kernel heap to reclaim the freed allocation. The pending I/O operation continues executing and dereferences the stale pointer, now hitting the attacker's controlled data. This provides a kernel memory corruption primitive. Combined with standard pool grooming and token manipulation, the attacker achieves SYSTEM privileges.
Exploitation Primitive
Socket I/O initiated -> socket teardown races against pending I/O
-> internal object freed while I/O holds reference -> UAF
-> heap reclaim -> kernel memory corruption -> SYSTEM
Broader Significance
Socket teardown races are a recurring vulnerability pattern in afd.sys because the driver must handle the inherent concurrency of network I/O. A socket can have multiple pending reads, writes, and control operations when it is closed. Ensuring that all of these operations complete or are properly cancelled before releasing internal state is a coordination problem that has proven difficult to get right across all code paths. This vulnerability, patched in August 2025, sits in a lineage of similar teardown-related UAFs in the driver.