CVE-2026-20810

Description

Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* - VULNERABLE

Windows 10 1809/1903/1909/2004/20H2/21H1/21H2

Windows 11 21H2/22H2

Windows Server 2019

Windows Server 2022

Windows Server Core 2019/2022

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-20810 PoC - Windows AFD Use-After-Free LPE
// This is a conceptual PoC for educational purposes only

#include <windows.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

// IOCTL codes for AFD driver
#define AFDEcho  0x12003
#define AFDAddress  0x12007

int main() {
    printf("[*] CVE-2026-20810 Windows AFD UAF PoC\n");
    printf("[*] Target: Windows Ancillary Function Driver\n\n");
    
    // Initialize Winsock
    WSADATA wsaData;
    WSAStartup(MAKEWORD(2, 2), &wsaData);
    
    // Create socket
    SOCKET sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (sock == INVALID_SOCKET) {
        printf("[-] Failed to create socket\n");
        return 1;
    }
    
    printf("[+] Socket created successfully\n");
    
    // Step 1: Trigger vulnerable code path in AFD driver
    // The vulnerability occurs when AFD.sys incorrectly frees non-heap memory
    // during certain IOCTL operations
    
    struct sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_port = htons(445);
    addr.sin_addr.s_addr = inet_addr("127.0.0.1");
    
    // Step 2: Connect to trigger AFD internal operations
    connect(sock, (struct sockaddr*)&addr, sizeof(addr));
    
    // Step 3: Perform operations that trigger the use-after-free condition
    // This requires specific driver interaction
    
    printf("[*] Triggering AFD driver vulnerability...\n");
    
    // Step 4: Use-after-free exploitation would require:
    // - Kernel pool spraying to reclaim freed memory
    // - Overwriting with malicious data structure
    // - Triggering callback to achieve code execution
    
    printf("[*] Note: Actual exploitation requires kernel pool manipulation\n");
    printf("[*] and specific Windows version targeting\n");
    
    closesocket(sock);
    WSACleanup();
    
    printf("\n[!] This PoC demonstrates the vulnerability concept only.\n");
    printf("[!] Apply Microsoft security updates to remediate.\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20810
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20810
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20810/
[4] VulDB https://vuldb.com/cve/CVE-2026-20810
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20810

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20810", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:07.547", "lastModified": "2026-01-14T20:12:30.473", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally."}, {"lang": "es", "value": "Liberación de memoria fuera del heap en el controlador de función auxiliar de Windows para WinSock permite a un atacante autorizado elevar privilegios localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-590"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "DD4CBDAB-7626-4048-8474-B1BD9C1F3255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A6D4C631-2CC0-407C-9ACA-7C151006598C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "1895E186-5B2E-43CC-AF1F-B5C95419D8C5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "B7CB5184-1BA1-4D71-8AE3-CF4C6B63A469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A74970A1-CC81-4482-B465-8382B1544EF3"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20810", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}