CVE-2011-2005

What is afd.sys?

The Ancillary Function Driver (afd.sys) is a Windows kernel-mode driver that implements the core functionality of Windows Sockets (Winsock). Every network-connected application on Windows — browsers, email clients, services — routes socket operations through afd.sys. As a kernel driver processing data from user-mode applications, afd.sys is a high-value target: a vulnerability in this component can allow any low-privilege process to escalate to SYSTEM-level privileges by passing malformed data into the kernel.

Overview

CVE-2011-2005 is a local privilege escalation vulnerability in afd.sys. The driver fails to properly validate user-mode input before passing it to kernel mode, allowing a local attacker to craft a malicious application that triggers an out-of-bounds write in kernel memory and gains SYSTEM privileges.

Microsoft patched this vulnerability in Security Bulletin MS11-080 on October 11, 2011.

Affected Versions

Windows 7 SP1 and Server 2008 R2 SP1 were not affected.

Technical Details

afd.sys accepts ioctl calls from user-mode processes for socket operations. The vulnerability stemmed from insufficient validation of input parameters passed via an ioctl before the data was used in kernel memory operations. By passing specially crafted parameters, a local attacker could cause an out-of-bounds write in kernel address space.

This class of vulnerability — improper input validation at the user-mode/kernel-mode boundary — was a recurring pattern in Windows kernel drivers during this period. Unlike user-mode memory corruption, kernel-mode out-of-bounds writes directly manipulate OS data structures, enabling reliable privilege escalation to SYSTEM without needing to bypass user-mode protections like ASLR or DEP.

Attack prerequisites:

• Local code execution on the target system (any privilege level)
• No special permissions required beyond the ability to run a program
• Reliable exploitation across all affected Windows versions

Discovery

The vulnerability was reported to Microsoft by Luigi Auriemma and Donato Ferrante (Mauro Gentile) of ReVuln, and independently by Tarjei Mandt of Norman — two concurrent discoveries that were coordinated through Microsoft's security response process.

Exploitation Context

CISA confirmed in-the-wild exploitation, adding this CVE to the KEV catalog in March 2022. Local privilege escalation vulnerabilities like this one are commonly used in the second stage of an attack chain: an attacker who has already achieved code execution via an initial access exploit (phishing, browser vulnerability, etc.) uses a kernel LPE to escalate from a limited user context to SYSTEM, enabling persistence, credential dumping, and lateral movement.

Remediation

1. Apply MS11-080 (October 2011 Patch Tuesday) on all affected Windows systems
2. Windows XP and Server 2003 are now end-of-life — any remaining deployments should be treated as fully compromised and migrated to supported Windows versions
3. Apply Defense-in-Depth controls for systems that cannot be immediately updated: application allowlisting, restricted user privileges, and network segmentation
4. Monitor for suspicious process privilege escalation via endpoint detection tools (unusual SYSTEM-level processes spawned from user-context parents)