Skip to main content

Windows CLFS Driver CVE-2026-44809

| EUVDEUVD-2026-35743 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-mwwp-2qj3-893w
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:34 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.8

DescriptionNVD

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an authenticated low-privileged attacker to elevate to SYSTEM via a use-after-free memory corruption flaw. The vulnerability carries a CVSS 7.8 rating with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. CLFS has a long history of being targeted for kernel-level privilege escalation, making this class of bug a recurring concern for Windows defenders.

Technical ContextAI

The Common Log File System (CLFS) is a general-purpose logging subsystem implemented in the kernel-mode driver clfs.sys, used by Windows applications and services for high-performance transaction logging. The root cause is CWE-416 (Use After Free), in which the driver references memory after it has been freed, allowing an attacker who can control the reallocated contents to corrupt kernel structures. Because clfs.sys runs in kernel space and is reachable from low-integrity user contexts via documented APIs, a successful UAF exploit typically yields arbitrary kernel read/write and full SYSTEM-level code execution.

RemediationAI

Apply the Microsoft monthly cumulative security update that addresses CVE-2026-44809 across all Windows endpoints and servers as listed on https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44809; exact KB article and build numbers should be taken directly from that MSRC entry since they were not included in the provided intelligence. Until patches are deployed, reduce blast radius by enforcing least privilege so standard users cannot run untrusted binaries, enabling Microsoft Defender attack surface reduction rules that block abuse of vulnerable signed drivers, and monitoring EDR for anomalous process token elevation and child processes of services that use CLFS - note that CLFS cannot simply be disabled because it is used by core OS components including the kernel transaction manager, so removal or driver blocklisting is not a viable workaround.

Share

CVE-2026-44809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy