CVE-2021-36955

What is Windows Common Log File System?

The Windows Common Log File System (CLFS) driver (clfs.sys) is a kernel-mode driver providing high-performance transactional logging services to Windows operating system components and applications. CLFS underpins Active Directory transaction logs, SQL Server logging, and various other Windows internal components requiring reliable write-ahead logging. As a kernel-mode driver that parses structured binary log file formats, CLFS has been a persistent target for privilege escalation exploits — multiple CLFS CVEs appear in CISA KEV across multiple years, including exploitation by the Nokoyawa ransomware group and various APT actors. The CLFS driver's complexity and its kernel-mode execution context make memory corruption bugs in its log file parsing code extremely dangerous.

Overview

CVE-2021-36955 is a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver, patched in September 2021 Patch Tuesday. A local user with low privileges can exploit an unspecified vulnerability in the CLFS driver to escalate to SYSTEM-level privileges — the highest privilege level on Windows. CISA added this to KEV in November 2021, only weeks after the September patch, confirming active exploitation in ransomware campaigns. Ransomware operators use CLFS privilege escalation to convert initial access (typically a low-privileged shell from phishing or web exploitation) into full SYSTEM control for ransomware staging, credential dumping, and lateral movement.

Affected Versions

Technical Details

• Root cause: An unspecified vulnerability in the CLFS kernel-mode driver — CLFS vulnerabilities typically involve memory corruption (use-after-free, type confusion, or out-of-bounds write) in the log file format parsing code, which processes attacker-controlled binary data in kernel context
• Attack vector: Local (AV:L) with low privileges (PR:L) — the attacker must already have code execution as a standard user on the target system before leveraging this escalation
• Escalation target: NT AUTHORITY\SYSTEM — unrestricted kernel-level access enabling: disabling endpoint protection, dumping LSASS credentials, encrypting files for ransomware, establishing persistence, and lateral movement via pass-the-hash or Kerberos ticket theft
• No user interaction: The exploit operates silently from a running low-privileged process
• Ransomware utility: CLFS privilege escalation is a standard ransomware pre-encryption step — converting a low-privileged initial foothold into SYSTEM access needed to encrypt system files, disable VSS shadow copies, and bypass endpoint security

Discovery

Reported to Microsoft and patched in September 2021 Patch Tuesday. CISA's KEV addition just weeks later (November 3, 2021) confirms active exploitation in the wild at or shortly after patch release, consistent with CLFS zero-day or near-zero-day use in ransomware campaigns. The CLFS driver has been a recurring exploitation target, with multiple CVEs across 2021–2023 appearing in CISA KEV.

Exploitation Context

CLFS privilege escalation is particularly valuable to ransomware operators because it allows a low-privileged initial access (obtained via phishing, web exploitation, or credential theft) to be immediately escalated to SYSTEM for maximum impact deployment. The ransomwareUse flag and rapid KEV addition (within weeks of the patch) indicate this was actively exploited in ransomware intrusions, consistent with the pattern of CLFS exploitation seen with Nokoyawa ransomware and other groups during 2021-2023. Organizations running unpatched Windows systems with the September 2021 cumulative update missing remain vulnerable.

Remediation

1. Apply September 2021 cumulative update for your Windows version (KB5005565 for Windows 10 20H2/21H1 or equivalent) via Windows Update
2. Enable automatic Windows Updates to ensure monthly patches are applied promptly — CLFS vulnerabilities are patched monthly and must be kept current
3. Implement least-privilege access: run users with standard (non-admin) accounts to ensure any initial compromise requires a privilege escalation step
4. Deploy endpoint detection and response (EDR) with behavioral rules for CLFS-based privilege escalation patterns
5. Enable Windows Defender Credential Guard and VBS (Virtualization Based Security) to protect credential stores even if SYSTEM is achieved via CLFS exploitation