CVE-2025-60719 — afd.sys Multi-Routine UAF (Endpoint Unbind Race)

Last updated: 2026-04-28 Component: afd.sys (Ancillary Function Driver for WinSock) Bug Class: Use-after-free via race between socket close and concurrent dispatch Patch: November 2025 cumulative update — KB5068861 (fixed binary afd.sys 10.0.26100.7171) Exploited ITW: No public attribution; broadly impactful given near-universal afd.sys exposure Discoverer: Akamai security research (analyzed via PatchDiff-AI) Related: CVE-2023-28218, Race Conditions, Use-After-Free Tags: afd, uaf, race-condition, winsock, kernel-mode, lpe

Summary

A race in afd.sys: a thread closing a socket can free the endpoint while a concurrent IOCTL on the same socket is mid-dereference. The dispatch routine continues to operate on freed memory. Affected dispatchers include AfdSocketTransfer*, AfdGetInformation, AfdBind, and AfdConnect — i.e., the bulk of the WinSock IOCTL surface.

afd.sys is reachable from essentially every process; this is one of the highest-impact LPEs of the November 2025 cycle.

Root cause

In the unpatched driver, dispatch routines fetch pointers to the Endpoint, the file object, or the device object up front, then perform multiple operations on them without holding a reference or lock that prevents concurrent unbind. A second thread issuing CloseHandle (or the kernel’s natural cleanup on socket teardown) can free the endpoint between the dispatcher’s fetch and use.

The fix introduces an explicit synchronization barrier: AfdPreventUnbind / AfdReallowUnbind are called around the critical regions of each affected dispatch path, locking the endpoint state for the duration of the operation. Akamai’s diff between vulnerable afd.sys 10.0.26100.6899 and patched 10.0.26100.7171 makes the change clear.

Exploitation (expected pattern)

The afd.sys UAF chain follows a well-trodden path. Once the dangling pointer is dereferenced:

1. Spray the freed slot with a controllable object (WNF state-data, pipe attributes, IORING RegBuffers).
2. Promote to kernel R/W via IORING _IOP_MC_BUFFER_ENTRY corruption or WNF data-size flips (see WNF Internals).
3. Token steal.

The novelty is on the trigger side — Akamai documented it via diff-driven analysis rather than a hand-written PoC, but the structures and primitives are standard.

Detection

• Concurrent IOCTL_AFD_* on a socket whose other handle is being closed.
• Pool churn around the afd.sys endpoint structure size class, followed by IORING reads/writes.
• Generic UAF indicators: process executing kernel-mode actions immediately after a syscall returned an error (the race losses).

References

• Akamai — Inside the Fix: AI-Powered Root Cause Analysis of CVE-2025-60719 — https://www.akamai.com/blog/security-research/inside-fix-ai-root-cause-analysis-cve-2025-60719
• Akamai — CVE-2025-60719-AFD.SYS — https://github.com/akamai/CVE-2025-60719-AFD.SYS
• Microsoft MSRC — CVE-2025-60719 advisory
• Related afd.sys writeups: CVE-2023-28218, CVE-2025-49762, CVE-2025-53718