CVE-2021-38638

7.8 HIGH

📋 TL;DR

This vulnerability in Windows Ancillary Function Driver for WinSock allows attackers to escalate privileges from a low-privileged user account to SYSTEM level. It affects Windows systems where an attacker has local access. Successful exploitation requires an attacker to already have some level of access to the target system.

💻 Affected Systems

Products:

• Microsoft Windows

Versions: Windows 10 versions 1809, 1909, 2004, 20H2, 21H1; Windows Server 2019, 2022

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with default configurations. Requires local access to exploit.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence mechanisms.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, access sensitive data, and maintain persistence on compromised systems.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are implemented, though local compromise remains possible.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Significant risk for internal systems where attackers could gain initial access through other means and then escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and low-privileged user credentials. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670, KB5006674, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38638

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local access to systems through strict access controls and least privilege principles.

Network segmentation

all

Segment networks to limit lateral movement and contain potential privilege escalation.

🧯 If You Can't Patch

• Implement strict access controls and least privilege principles for all user accounts
• Monitor for suspicious privilege escalation attempts and implement enhanced logging

🔍 How to Verify

Check if Vulnerable:

Copy

Check Windows version and installed updates. Systems without October 2021 security updates are vulnerable.

Check Version:

Copy

wmic os get caption, version, buildnumber, osarchitecture

Verify Fix Applied:

Copy

Verify October 2021 security updates (KB5006670 for Windows 10 2004/20H2/21H1, KB5006674 for Windows 10 1909, etc.) are installed.

📡 Detection & Monitoring

Log Indicators:

• Event ID 4688 with suspicious process creation, unexpected privilege escalation events, anomalous driver loading

Network Indicators:

• Unusual outbound connections from systems after local access

SIEM Query:

Copy

EventID=4688 AND (ProcessName="*\afd.sys*" OR CommandLine="*afd*")

📊 Metadata

CVE ID: CVE-2021-38638

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: September 15, 2021

Last Updated: December 16, 2025

🔗 References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38638 Patch,Vendor Advisory
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38638 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38638, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)

CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)

CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)