CVE-2025-21418

What is the Windows Ancillary Function Driver (AFD)?

The Ancillary Function Driver (afd.sys) is the Windows kernel driver that implements the user-mode WinSock socket API. It bridges all socket operations (WSASocket, connect, send, recv, bind) from user-space applications to the underlying network stack. Because afd.sys is reachable from unprivileged user accounts through standard socket API calls, vulnerabilities in AFD provide a consistent path for local privilege escalation.

AFD has been exploited repeatedly: CVE-2023-21768 (2023 UAF), CVE-2025-21418 (this CVE, heap overflow, Feb 2025), and CVE-2025-32709 (UAF, May 2025) are three distinct AFD zero-days in under three years.

Overview

CVE-2025-21418 is a heap-based buffer overflow (CWE-122) in afd.sys that allows a locally authenticated attacker with standard user privileges to escalate to SYSTEM. Disclosed as a zero-day in the February 2025 Patch Tuesday, CISA added it to the KEV catalog on patch day. February 2025 Patch Tuesday also included a companion AFD vulnerability CVE-2025-21419 (information disclosure) and Windows Storage symlink CVE-2025-21391.

Affected Versions

Technical Details

The heap-based buffer overflow (CWE-122) occurs in afd.sys during socket operation processing. A specially crafted sequence of socket API calls — accessible from any user-mode process via standard WinSock — causes a kernel heap buffer to be written beyond its boundary. The overflow corrupts adjacent kernel heap memory, which an attacker can leverage to overwrite security-critical kernel structures (such as process token privilege masks) to elevate from user to SYSTEM.

The Low attack complexity (AC:L) reflects that the exploit was reliably weaponized before the patch. AFD exploits typically do not require any specific system configuration or elevated starting privileges — they work on any standard Windows system with any user account.

Discovery

Microsoft Threat Intelligence identified active exploitation before February 2025 Patch Tuesday. The specific reporter was not publicly disclosed.

Exploitation Context

Confirmed zero-day exploitation before February 11, 2025. The recurring pattern of AFD zero-days (2023, Feb 2025, May 2025) indicates that the AFD codebase is a sustained research target for threat actors developing Windows LPE exploits. These vulnerabilities are used as the second stage in attack chains after initial access — elevating from a standard user foothold to full SYSTEM control.

Remediation

1. Apply the February 2025 cumulative update for your Windows version. The CISA deadline was March 4, 2025.
2. Note: the May 2025 zero-day CVE-2025-32709 is a separate AFD UAF vulnerability — applying the February patch does not address the May vulnerability. Apply all cumulative updates.
3. No special configuration changes are needed — the patch is in the cumulative update.
4. Restrict local logon and RDP access on servers where feasible — LPE vulnerabilities require a local user foothold to trigger.