CVE-2021-43226

What is Windows Common Log File System?

The Windows Common Log File System (CLFS) driver (clfs.sys) is a kernel-mode driver in Windows that provides a high-performance logging service used by the Windows operating system and applications for structured event logging, transaction management, and crash recovery. CLFS is used internally by Windows components including Active Directory, transaction-based registry changes, and various system services. As a kernel-mode component that processes structured log file data, CLFS has been a recurring target for local privilege escalation exploits — multiple CLFS vulnerabilities have been added to CISA KEV over the years, including exploitation by the Nokoyawa ransomware group and others.

Overview

CVE-2021-43226 is a local privilege escalation vulnerability in the Windows Common Log File System driver. By exploiting this vulnerability, a local user with low privileges can bypass certain Windows security mechanisms and escalate to SYSTEM-level privileges. The vulnerability was patched in December 2021 Patch Tuesday, but CISA did not add it to KEV until October 2025 — nearly four years after the patch — reflecting continued long-tail exploitation in intrusions against unpatched systems. The vulnerability is exploited in post-compromise scenarios: after an attacker has gained initial access to a Windows system (via phishing, web shell, or other means), CLFS privilege escalation provides the path to SYSTEM for persistence and lateral movement.

Affected Versions

Technical Details

• Root cause: An unspecified vulnerability in the CLFS kernel driver — Microsoft describes it as allowing "a local, privileged attacker to bypass certain security mechanisms," consistent with a memory corruption or logic flaw in CLFS log file parsing
• Attack vector: Local — the attacker must have code execution in a low-privileged user context on the target Windows machine before exploiting this vulnerability (AV:L, PR:L)
• Privilege escalation target: SYSTEM — the highest privilege level on Windows, providing unrestricted access to all processes, files, and system configuration
• Post-exploitation utility: SYSTEM access enables disabling security products, adding persistence mechanisms, dumping credential stores (LSASS), and lateral movement via pass-the-hash or Kerberos
• No user interaction needed — the exploit executes silently from a running process

Discovery

Patched as part of Microsoft's December 2021 Patch Tuesday coordinated disclosure. The near-four-year delay before CISA KEV addition reflects the continued relevance of this CLFS privilege escalation technique against organizations running unpatched Windows systems.

Exploitation Context

CLFS has been a prolific target for Windows privilege escalation exploits. The late (2025) CISA KEV addition for this 2021 vulnerability reflects that unpatched systems remain a significant attack surface — enterprises with slow patching cadences or systems that cannot take cumulative updates (legacy workloads, air-gapped systems) remain vulnerable. In post-compromise attack chains, CLFS privilege escalation converts low-level access to full SYSTEM control.

Remediation

1. Apply December 2021 cumulative update (KB5008212 for Windows 10/Server or equivalent) via Windows Update
2. Enable Windows Update automatic updates to receive monthly cumulative patches promptly
3. Prioritize systems where privilege escalation protection is critical: domain controllers, file servers, and systems with sensitive data
4. Consider deploying Windows Defender Credential Guard and Attack Surface Reduction rules to limit the utility of local privilege escalation even if it occurs