HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Local Privilege Escalation in Windows afd.sys (CVE-2026-32073) Threatens Enterprise Endpoints

A race‑condition flaw in the Windows kernel driver afd.sys (CVE‑2026‑32073) allows local attackers to elevate privileges to SYSTEM. The issue affects all supported Windows versions and can be leveraged to compromise corporate networks, posing a significant third‑party risk for organizations that rely on Microsoft Windows endpoints.

LiveThreat™ Intelligence · 📅 April 16, 2026· 📰 zerodayinitiative.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
zerodayinitiative.com

Local Privilege Escalation in Windows afd.sys (CVE‑2026‑32073) Threatens Enterprise Endpoints

What It Is – A race‑condition flaw in the Windows kernel driver afd.sys permits a local attacker to gain SYSTEM‑level privileges by exploiting improper locking on object operations.

Exploitability – The vulnerability is publicly disclosed with a CVSS 7.8 (High). No public exploit code has been released, but the detailed advisory enables attackers with low‑privileged code execution to craft their own exploits.

Affected Products – Microsoft Windows operating systems (all supported versions that include the afd.sys driver).

TPRM Impact – Any third‑party that supplies Windows‑based workstations, servers, or virtual desktop infrastructure inherits the risk. A compromised endpoint can be used to pivot, exfiltrate data, or install ransomware across the supply chain.

Recommended Actions

  • Deploy Microsoft’s security update for CVE‑2026‑32073 immediately.
  • Verify patch compliance on all Windows assets via automated inventory tools.
  • Enforce least‑privilege policies; restrict execution of untrusted code on endpoints.
  • Monitor for anomalous kernel‑mode activity and afd.sys loading patterns.
  • Review third‑party contracts for Windows‑based services and require proof of patching.

Source: Zero Day Initiative Advisory ZDI‑26‑277

📰 Original Source
http://www.zerodayinitiative.com/advisories/ZDI-26-277/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →