CVE-2023-36424

What is the Windows Common Log File System (CLFS)?

The Windows Common Log File System (CLFS) is a kernel-mode driver (clfs.sys) providing a general-purpose, high-performance logging mechanism for both user-mode and kernel-mode applications. CLFS manages structured log files using a binary format based on .BLF (Base Log File) and .blf-associated container files. It is used internally by Windows components including Event Tracing for Windows (ETW), transaction management, and various system services. Because CLFS operates at the kernel level and processes file structures with complex binary parsing logic, it has become a frequent source of Windows kernel privilege escalation vulnerabilities — a cluster that ransomware groups and APTs have heavily targeted since 2022.

Overview

CVE-2023-36424 is an out-of-bounds read vulnerability in the Windows CLFS kernel driver that leads to local privilege escalation. By supplying a crafted .BLF log file, a local attacker with standard user privileges can trigger a kernel pool corruption condition in clfs.sys, ultimately elevating from Medium Integrity Level to High Integrity (administrative/SYSTEM) access.

Affected Versions

All supported Windows releases at the time of the November 2023 Patch Tuesday are affected, including:

Technical Details

Root cause: Out-of-Bounds Read in CLFS BLF Parsing (CWE-125)

The vulnerability exists in the CLFS mini-filter driver's parsing of Binary Log File (.BLF) structures. During parsing, the driver processes metadata fields including size and offset values without adequately validating whether computed memory addresses fall within the bounds of the allocated kernel pool buffer.

The flaw can be triggered via an NTFS reparse point — a filesystem redirection mechanism that causes CLFS to process an attacker-controlled .BLF file during a routine log operation. The out-of-bounds read causes kernel pool corruption that can be leveraged for a controlled write primitive.

Exploit chain:

1. Normal user context: Attacker runs code with standard (Medium Integrity) user privileges
2. Craft malicious BLF: Attacker creates a specially structured .BLF file with manipulated size/offset fields in CLFS record headers
3. Trigger via reparse point: Attacker places an NTFS reparse point that redirects a CLFS operation to the crafted BLF file
4. OOB read → pool corruption: clfs.sys processes the BLF without bounds checking, reading past the buffer boundary into adjacent kernel pool memory
5. Controlled write / token manipulation: The pool corruption is exploited to gain a kernel write primitive, which is used to overwrite a process token or security descriptor to elevate to SYSTEM
6. Privilege escalation complete: Attacker achieves SYSTEM-level code execution

Attack characteristics:

• Authentication required: Local user account (any standard user)
• Complexity: Low — well-understood kernel pool exploitation techniques
• User interaction: None required after initial code execution
• Scope: Local — requires existing foothold on the system

Discovery & Exploitation Context

CLFS has been a particularly productive vulnerability hunting ground. The CLFS driver has yielded multiple high-value LPE CVEs used in real-world attacks:

• CVE-2022-24521 — CLFS EoP, exploited by ransomware actors
• CVE-2023-23376 — CLFS EoP, Patch Tuesday February 2023
• CVE-2023-28252 — CLFS EoP, exploited by Nokoyawa ransomware (Kaspersky)
• CVE-2023-36424 — CLFS EoP, November 2023, PoC released by zerozenxlabs

The pattern is consistent: CLFS LPE vulnerabilities are rapidly weaponized by ransomware operators because they provide a reliable, low-complexity path from a compromised user account to full SYSTEM control — enabling credential dumping, lateral movement, and domain compromise.

Remediation

1. Apply the November 2023 Patch Tuesday security update (KB5032189 for Windows 11 22H2, KB5032199 for Windows 10 22H2, equivalent for Server). Verify via Windows Update or WSUS.
2. Verify patch installation: Check Settings → Windows Update → Update History for November 14, 2023 updates.
3. Prioritize internet-facing and critical systems — although this is a local privilege escalation, attackers commonly chain it after an initial foothold (phishing, web exploit) to achieve full system compromise.
4. Deploy Credential Guard and LSA Protection — limit the value of SYSTEM access by protecting credentials from extraction post-escalation.
5. Monitor for CLFS anomalies — watch for unusual .BLF file creation in non-system directories or NTFS reparse point manipulation via endpoint detection rules.
6. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint to restrict common post-exploitation techniques that follow LPE.