CVE-2023-36036

What is the Windows Cloud Files Mini Filter Driver?

The Cloud Files Mini Filter Driver (cldflt.sys) is a kernel-mode driver that manages cloud-synchronized files on Windows, enabling integration with OneDrive and other cloud storage providers. It operates in the Windows file system driver stack, handling placeholder files and download-on-demand behavior. Because it runs at kernel level with SYSTEM privileges, vulnerabilities in this driver are high-value targets for local privilege escalation.

Overview

CVE-2023-36036 is a heap-based buffer overflow in the Windows Cloud Files Mini Filter Driver that allows a local attacker with low privileges to escalate to SYSTEM. Microsoft disclosed and patched it on November 14, 2023 (Patch Tuesday) as an actively exploited zero-day, making it one of three zero-days addressed that month.

Affected Versions

Technical Details

The vulnerability is a heap-based buffer overflow (CWE-122) in cldflt.sys. When processing specific file system operations involving cloud-backed files, the driver fails to properly validate buffer sizes before copying data to a heap allocation. An attacker who can execute code at low privilege level (standard user) can trigger this overflow to corrupt adjacent kernel heap memory, enabling controlled code execution at SYSTEM level.

The CVSS vector reflects the attack characteristics: local access required, low complexity, low privileges sufficient, no user interaction needed (AV:L/AC:L/PR:L/UI:N). This profile makes it well-suited as a post-exploitation privilege escalation step — typically deployed after initial access is established via another vector such as phishing or a browser exploit.

Discovery

Microsoft credited the discovery to an anonymous reporter. The vulnerability was already under active exploitation in the wild at the time of disclosure, indicating it was discovered by threat actors before researchers.

Exploitation Context

Microsoft confirmed active in-the-wild exploitation at the time of the November 2023 Patch Tuesday release. This type of local privilege escalation is commonly used in the second stage of attack chains: after gaining initial footholds via phishing, browser exploits, or credential theft, attackers use kernel EoP bugs to reach SYSTEM and disable defenses or move laterally. The zero-day status suggests targeted use by a sophisticated threat actor prior to public awareness.

Remediation

1. Apply the November 2023 cumulative update for your Windows version via Windows Update or WSUS immediately — this is the primary fix.
2. Prioritize internet-facing and high-value systems where local code execution by untrusted users is possible (VDI environments, shared workstations, RDS servers).
3. Review local user accounts for unauthorized additions, particularly accounts with elevated permissions created around or before the patch date.
4. Enable Windows Defender Credential Guard and Attack Surface Reduction rules to reduce the blast radius of post-exploitation privilege escalation attempts.
5. Monitor for kernel driver anomalies and unusual SYSTEM-level process creation from low-privileged parent processes.