Windows CLFS Driver CVE-2023-36424
HIGHSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Windows Common Log File System Driver Elevation of Privilege Vulnerability
AnalysisAI
Local privilege escalation in the Windows Common Log File System (CLFS) driver allows authenticated low-privileged attackers to elevate to SYSTEM on Windows 10 (1507 through 22H2) and Windows 11 21H2. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and EPSS places it in the 93rd percentile for exploitation likelihood. Microsoft has released patches via standard monthly updates.
Technical ContextAI
The Common Log File System (clfs.sys) is a kernel-mode driver shipped with Windows that provides a general-purpose transactional logging facility used by services, the kernel transaction manager, and applications. The CWE-125 (out-of-bounds read) classification, combined with the 'Buffer Overflow' tag, indicates the driver reads past the bounds of an allocated buffer when parsing attacker-supplied CLFS log file structures (.BLF files or related log containers), which has historically been a fruitful target for kernel EoP because CLFS log parsing is reachable from user mode and runs in ring 0. The CPE list confirms every supported Windows 10 servicing branch (1507/1607/1809/21H2/22H2) on x86, x64, and ARM64, plus Windows 11 21H2 are affected, indicating a long-standing defect in the shared CLFS code path.
RemediationAI
Apply the Microsoft security update for CVE-2023-36424 from the November 2023 Patch Tuesday cycle (vendor-released patch available) by installing the appropriate cumulative update for each affected Windows 10 servicing branch (1507/1607/1809/21H2/22H2) and Windows 11 21H2, consulting Microsoft's MSRC advisory for the exact KB number per build. Because the vulnerability is in clfs.sys and reachable from any local user, there is no clean configuration workaround; compensating controls until patching is complete include enforcing least-privilege so that initial-access malware lands as a constrained user (to slow but not prevent the EoP), enabling Microsoft Defender / EDR rules targeting known public CLFS exploit primitives, and using attack surface reduction rules and application allowlisting to limit which binaries can run and thereby invoke the vulnerable driver - none of these block the bug itself, only narrow the population of attackers who can reach it.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today