CVE-2022-37969

What is the Windows Common Log File System (CLFS) Driver?

The Common Log File System (CLFS) is a Windows kernel driver (clfs.sys) that provides a general-purpose logging infrastructure used by the operating system and applications. CLFS handles the reading and writing of structured log files. Because CLFS runs in kernel mode and processes file-based data structures, malformed log files or specially crafted CLFS operations can trigger kernel-level memory corruption. CLFS has been a recurring source of Windows privilege escalation vulnerabilities, with Kaspersky noting a series of related CLFS bugs exploited in the wild between 2022 and 2023.

Overview

CVE-2022-37969 is an out-of-bounds write vulnerability in the Windows CLFS kernel driver. A low-privileged local attacker can exploit the flaw to escalate privileges to SYSTEM. Microsoft confirmed active exploitation at time of patching; CISA added it to KEV the following day. Kaspersky later linked exploitation to the Nokoyawa ransomware threat actor, which used CVE-2022-37969 and related CLFS vulnerabilities as part of their post-intrusion privilege escalation toolkit.

Affected Versions

Technical Details

The vulnerability is an out-of-bounds write (CWE-787) in clfs.sys. Exploitation involves crafting or manipulating a CLFS log file to trigger a write past the bounds of an allocated kernel buffer. This can corrupt adjacent kernel memory, overwriting data structures to redirect execution or elevate privileges.

• Attack vector: Local — requires an existing foothold (user-level code execution on the target)
• Privileges required: Low — a standard unprivileged domain or local user is sufficient
• User interaction: None — fully automated once local code execution is available
• Impact: SYSTEM-level privilege escalation; complete control over the operating system
• CLFS pattern: Multiple independent research teams reported this CVE simultaneously (credited in MSRC advisory), and Kaspersky noted that the same threat actor exploited a sequence of similar CLFS bugs over a 12-month period, suggesting targeted research into the CLFS attack surface

Discovery

Reported by multiple independent researchers: Genwei Jiang (Mandiant), Qiuhao Li (Neusoft Education), Zscaler ThreatLabz, and CrowdStrike. The simultaneous multi-reporter disclosure indicates the bug was found by several parties, likely including the threat actor using it in the wild before the patch.

Exploitation Context

Microsoft confirmed active exploitation at time of patch. Kaspersky's February 2023 report attributed exploitation to the Nokoyawa ransomware group, which consistently exploited CLFS kernel driver vulnerabilities as their preferred Windows privilege escalation technique. The group used CVE-2022-37969 alongside other CLFS zero-days to escalate from an initial low-privilege foothold to SYSTEM before deploying ransomware payloads. Kaspersky identified at least five distinct CLFS exploits used by this actor between 2022 and early 2023.

Remediation

1. Apply the September 2022 Patch Tuesday cumulative update for your Windows version
2. Prioritize systems where ransomware actors are most likely to seek privilege escalation: domain-joined endpoints, file servers, and backup infrastructure
3. Implement least-privilege access controls to limit the impact of the initial foothold that would precede this escalation
4. Enable Windows Defender Credential Guard and Attack Surface Reduction rules to slow post-exploitation activity
5. Monitor for unusual CLFS log file creation or modification in %SystemRoot%\System32\config\ by non-SYSTEM processes