CVE-2025-62213
afd.sys -- use-after-free in socket operations allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | November 11, 2025 |
Root Cause
The Ancillary Function Driver for WinSock adds another use-after-free to its growing collection in 2025. CVE-2025-62213, patched alongside CVE-2025-60719 in the November 2025 cycle, is a distinct UAF that manifests through a different set of socket operation sequences.
The root cause follows the familiar afd.sys pattern: the driver mismanages object lifetimes during socket operations, leaving a stale pointer after the referenced object is freed. The specific operations that trigger this lifetime mismatch differ from CVE-2025-60719 (which is specifically the unbind race) and CVE-2025-53718 (which is the teardown race). In this case, the premature free occurs during normal socket operations rather than during teardown or reconfiguration.
When the stale pointer is eventually dereferenced, it accesses memory that has been returned to the pool allocator. If the attacker has reclaimed that memory through heap spraying, the dereference operates on controlled data.
Exploitation
The attacker identifies the specific socket operation sequence that triggers the premature free. Once the free occurs, the attacker sprays the kernel heap with controlled allocations to reclaim the freed memory. The subsequent dereference through the stale pointer hits the attacker's data, providing a kernel memory corruption primitive.
The corruption can be shaped by controlling the contents of the sprayed allocation. The attacker places fake kernel objects in the reclaimed memory, with fields designed to redirect kernel execution or corrupt adjacent data structures. Standard token manipulation completes the chain to SYSTEM.
Exploitation Primitive
Socket operation sequence -> internal object freed prematurely
-> stale pointer persists -> heap reclaim with controlled data
-> kernel corruption -> token swap -> SYSTEM
Broader Significance
CVE-2025-62213 is the fourth afd.sys UAF tracked in KernelSight for 2025 alone (joining CVE-2025-53147, CVE-2025-53718, and CVE-2025-60719). The driver's complexity, managing socket lifecycles across concurrent operations with multiple object types, creates a large surface area for lifetime management bugs. Each patched instance fixes a specific code path, but the systemic nature of the problem suggests that more instances may remain undiscovered.