CVE-2024-38193

What is the Windows AFD Driver?

The Ancillary Function Driver for WinSock (afd.sys) is a Windows kernel driver that provides the core implementation of Windows socket operations — it is the kernel-mode component underlying all TCP/IP socket calls from user-mode applications. Because virtually every networked Windows application depends on socket functionality, afd.sys has a large, complex code surface accessible from any user-mode process. Use-after-free vulnerabilities in afd.sys provide a kernel-level memory corruption primitive that can be triggered from a low-privilege user-mode process, making it a high-value target for privilege escalation exploit development.

Overview

CVE-2024-38193 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys) that allows a local, low-privileged attacker to escalate privileges to SYSTEM. It was discovered by Gen Digital (formerly Avast/NortonLifeLock) and linked to North Korea's Lazarus Group (APT38/Citrine Sleet), who exploited it to deploy the FudModule rootkit — a sophisticated kernel-mode rootkit that manipulates Windows security mechanisms from the kernel level. Microsoft and CISA simultaneously disclosed this as a zero-day on August 13, 2024. CVE-2024-38193 was used as the kernel privilege escalation component of a full exploit chain that began with Chrome V8 zero-days (CVE-2024-7971, CVE-2024-7965).

Affected Versions

Technical Details

CWE-416 (Use-After-Free). The afd.sys driver manages internal data structures representing socket connections and WinSock state. A flaw in object lifecycle management causes a reference to a freed kernel object to remain accessible via a user-mode socket operation. By carefully timing a sequence of socket calls, a local attacker can cause the freed memory to be reallocated with attacker-controlled content and then trigger the stale-pointer dereference, achieving a controlled kernel write. The resulting kernel write is used to escalate the attacker's process security token to SYSTEM.

The full August 2024 Lazarus Group exploit chain:

1. CVE-2024-7971 / CVE-2024-7965 — Chrome V8 zero-days provide renderer-process code execution
2. CVE-2024-38193 — afd.sys UAF escalates from renderer sandbox to SYSTEM on the host OS
3. FudModule rootkit — deployed as a kernel-mode driver using SYSTEM/kernel access, manipulates Windows security telemetry, disables EDR sensors, and establishes persistent privileged access

Discovery

Discovered by Gen Digital's security researchers who identified FudModule rootkit samples in the wild and reverse-engineered the exploit chain. This is the second FudModule rootkit deployment observed using an afd.sys zero-day — a similar chain was documented in 2023 using CVE-2023-21674, demonstrating Lazarus Group's sustained investment in this specific kernel driver as an exploitation target.

Exploitation Context

North Korea's Lazarus Group used this exploit chain in campaigns targeting cryptocurrency industry employees and financial sector workers — consistent with North Korea's objective of funding its weapons program through cryptocurrency theft. The FudModule rootkit's ability to disable Windows security telemetry and EDR sensors makes post-exploitation activity invisible to defenders, enabling prolonged access and large-scale cryptocurrency theft. The sophistication of the full chain (browser zero-day + kernel zero-day + custom rootkit) reflects significant investment by a well-resourced threat actor.

Remediation

1. Apply the August 2024 Windows security updates (Patch Tuesday, August 13, 2024) — this patches the afd.sys UAF that enables kernel privilege escalation.
2. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) — these technologies significantly complicate kernel rootkit deployment by protecting kernel memory integrity.
3. Also apply the Chrome updates for CVE-2024-7971 and CVE-2024-7965 (browser components of the same chain).
4. Deploy Endpoint Detection and Response (EDR) tools with kernel tamper protection — FudModule specifically targets EDR sensor disabling, so EDR solutions with self-protection mechanisms are most effective.
5. Cryptocurrency industry organizations and financial institutions should treat this chain as an active threat and verify browser and OS patch levels immediately.