Local Privilege Escalation in Windows afd.sys (CVE‑2026‑32073) Threatens Enterprise Endpoints
What It Is – A race‑condition flaw in the Windows kernel driver afd.sys permits a local attacker to gain SYSTEM‑level privileges by exploiting improper locking on object operations.
Exploitability – The vulnerability is publicly disclosed with a CVSS 7.8 (High). No public exploit code has been released, but the detailed advisory enables attackers with low‑privileged code execution to craft their own exploits.
Affected Products – Microsoft Windows operating systems (all supported versions that include the afd.sys driver).
TPRM Impact – Any third‑party that supplies Windows‑based workstations, servers, or virtual desktop infrastructure inherits the risk. A compromised endpoint can be used to pivot, exfiltrate data, or install ransomware across the supply chain.
Recommended Actions –
- Deploy Microsoft’s security update for CVE‑2026‑32073 immediately.
- Verify patch compliance on all Windows assets via automated inventory tools.
- Enforce least‑privilege policies; restrict execution of untrusted code on endpoints.
- Monitor for anomalous kernel‑mode activity and
afd.sysloading patterns. - Review third‑party contracts for Windows‑based services and require proof of patching.