CVE-2026-20860

Q: What is the severity of CVE-2026-20860?

CVE-2026-20860 has a CVSS score of 7.8 (HIGH). This vulnerability is a type confusion flaw in Windows Ancillary Function Driver for WinSock that allows an authenticated attacker to escalate privileges locally. It affects Windows systems with the vulnerable driver component. Attackers can gain SYSTEM-level privileges from a lower-privileged account.

7.8 HIGH

📋 TL;DR

This vulnerability is a type confusion flaw in Windows Ancillary Function Driver for WinSock that allows an authenticated attacker to escalate privileges locally. It affects Windows systems with the vulnerable driver component. Attackers can gain SYSTEM-level privileges from a lower-privileged account.

💻 Affected Systems

Products:

Windows Ancillary Function Driver for WinSock (afd.sys)

Versions: Specific Windows versions as detailed in Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the vulnerable driver version. Check Microsoft advisory for exact affected builds.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, and access sensitive system resources.

🟢

If Mitigated

Limited impact if proper privilege separation and endpoint protection are in place, though successful exploitation still grants elevated access.

🌐 Internet-Facing: LOW - Requires local access and authentication, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any authenticated user on a vulnerable system could potentially exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and authentication. Type confusion vulnerabilities typically require specific conditions to trigger reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20860

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local login capabilities to trusted users only

Enable exploit protection

windows

Configure Windows Defender Exploit Guard to mitigate privilege escalation attempts

🧯 If You Can't Patch

Implement strict least privilege access controls to limit who can log in locally
Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and build number, then compare against Microsoft's affected versions list

Check Version:

wmic os get caption, version, buildnumber

Verify Fix Applied:

Verify Windows Update history shows the relevant security update installed

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with SYSTEM privileges
Suspicious driver loading events
Security log events showing privilege escalation

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

EventID=4688 AND NewProcessName contains 'cmd.exe' OR 'powershell.exe' AND SubjectUserName != SYSTEM AND TokenElevationType != %%1938

📊 Metadata

CVE ID: CVE-2026-20860

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-843

EPSS Score: 0.19% exploit probability (40.8th percentile)

Published: January 13, 2026

Last Updated: January 15, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20860 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Enable exploit protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities