Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an authenticated low-privileged attacker to elevate to SYSTEM via a use-after-free memory corruption flaw. The vulnerability carries a CVSS 7.8 rating with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. CLFS has a long history of being targeted for kernel-level privilege escalation, making this class of bug a recurring concern for Windows defenders.
Technical ContextAI
The Common Log File System (CLFS) is a general-purpose logging subsystem implemented in the kernel-mode driver clfs.sys, used by Windows applications and services for high-performance transaction logging. The root cause is CWE-416 (Use After Free), in which the driver references memory after it has been freed, allowing an attacker who can control the reallocated contents to corrupt kernel structures. Because clfs.sys runs in kernel space and is reachable from low-integrity user contexts via documented APIs, a successful UAF exploit typically yields arbitrary kernel read/write and full SYSTEM-level code execution.
RemediationAI
Apply the Microsoft monthly cumulative security update that addresses CVE-2026-44809 across all Windows endpoints and servers as listed on https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44809; exact KB article and build numbers should be taken directly from that MSRC entry since they were not included in the provided intelligence. Until patches are deployed, reduce blast radius by enforcing least privilege so standard users cannot run untrusted binaries, enabling Microsoft Defender attack surface reduction rules that block abuse of vulnerable signed drivers, and monitoring EDR for anomalous process token elevation and child processes of services that use CLFS - note that CLFS cannot simply be disabled because it is used by core OS components including the kernel transaction manager, so removal or driver blocklisting is not a viable workaround.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35743
GHSA-mwwp-2qj3-893w