← All drivers
vulnerable
Driver

afd.sys

Windows Ancillary Function Driver for WinSock (a core OS driver)

From Microsoft
Status
On a known-vulnerable list
Known variants
2 distinct hashes
Public CVEs
1
Field notes

afd.sys is not a vendor utility you installed. It is a core part of Windows itself: the Ancillary Function Driver for WinSock, the kernel component that sits underneath nearly every network connection your PC makes. Every online game, every launcher, every update check goes through it. It is on every Windows machine, and there is nothing to uninstall.

It appears on the public LOLDrivers list because of CVE-2023-21768, an elevation-of-privilege flaw that let a local user on the machine gain SYSTEM, the highest level of access in Windows. Microsoft patched it in the January 2023 Patch Tuesday updates. What made it notable was the speed: working exploit code was public within about a day of the patch, and security firms (IBM X-Force, SentinelOne, Rapid7) analyzed it almost immediately.

This is the one entry in the Field Guide where the persistence story runs the other way. With a vendor's overclocking or RGB driver, the fix is to update or remove the bundled software. afd.sys is the operating system, so you do not remove it and you cannot; you keep Windows current. An unpatched copy is the risk, and Windows Update is the entire fix.

If afd.sys is on your system, that is correct and expected; it is on everyone's. The practical step is simply to make sure Windows Update is current. A machine patched past January 2023 is not running the vulnerable version.

What the record shows

afd.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

Public CVEs
What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “afd.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/afd-sys