CVE-2025-60719

afd.sys — use-after-free from race between socket unbind and concurrent operations

Summary

Field	Value
Driver	afd.sys
Vulnerability Class	Use-After-Free / Race Condition
CVSS	7.8
Exploited ITW	No (rated "Exploitation More Likely")
Patch Date	November 11, 2025

Root Cause

The driver does not prevent a socket endpoint from being unbound while other operations dereference it. A race condition between the unbind path and concurrent I/O paths leaves a stale pointer to freed socket state. Affects all Windows versions from Server 2008 SP2 through Server 2025.

Akamai published a root cause analysis showing the patch added AfdPreventUnbind and AfdReallowUnbind synchronization barriers to serialize the unbind operation against concurrent access.

Vulnerable Code Path

Thread A: socket I/O operation (holds reference to endpoint)
Thread B: AfdUnbind (frees endpoint state)
  → Thread A dereferences freed endpoint → UAF

Patch Analysis

Microsoft added AfdPreventUnbind / AfdReallowUnbind synchronization barriers. AfdPreventUnbind blocks unbind while I/O operations hold references; AfdReallowUnbind releases the barrier after the operation completes.

Exploitation

The race between unbind and concurrent socket operations produces a UAF. The freed endpoint memory can be reclaimed with controlled data for kernel memory corruption.

Exploitation Primitive

Socket unbind race → UAF in afd.sys → heap reclaim → SYSTEM

References

• MSRC Advisory
• Akamai — Root Cause Analysis
• GitHub — Akamai CVE-2025-60719 Analysis
• IBM X-Force — Patch Tuesday to Exploit Wednesday