HIGH CVSS: N/A 2026-04-19

CVE-2023-36424: Windows clfs.sys Pool Overflow Enables Kernel Privilege Escalation

Analysis of CVE-2023-36424, a critical pool overflow in clfs.sys allowing local privilege escalation, currently listed in the KEV catalog.

CVE-2023-36424: Windows clfs.sys Pool Overflow Enables Kernel Privilege Escalation

⚠ No Runnable Lab

This CVE cannot be reproduced in a standard Linux Docker container.

There is no Vulhub coverage or Linux-based emulation for clfs.sys or the Windows kernel exploitation primitives involved in this vulnerability. To reproduce this behavior or verify the analysis, you must set up a vulnerable Windows environment (e.g., a pre-patched Windows Server or Client VM) and compile/run the exploit code locally. Do not attempt to run this exploit on production systems or without proper isolation.

1. Executive Summary

CVE-2023-36424 is a high-severity vulnerability affecting the Common Log File System Driver (clfs.sys) in Microsoft Windows. While the official CVE description categorizes this as an "Out-of-Bounds Read," technical analysis reveals the vulnerability is actually a kernel pool overflow resulting in arbitrary kernel memory read/write capabilities.

  • Severity: HIGH (CVSS 7.8)
  • Attack Vector: Local (Low Integrity)
  • Impact: Privilege Escalation to SYSTEM
  • KEV Status: Listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
  • Component: clfs.sys (Cloud Filter Mini-Driver)

This vulnerability allows an unprivileged attacker to craft malicious NTFS reparse points that bypass validation logic within the cloud filter driver. By triggering a pool corruption via insufficient validation of reparse item counts, an attacker can groom the kernel heap, overwrite critical function pointers, and leverage ALPC (Advanced Local Procedure Call) primitives to achieve full kernel read/write and eventual privilege escalation.

Given its inclusion in the KEV catalog, organizations must prioritize patching this vulnerability immediately, particularly for internet-facing or shared infrastructure.

2. Technical Deep Dive

2.1 The Misleading CVE Title

Security analysts should note a discrepancy between the CVE title and the actual exploit mechanics:

  • CVE Title: "Out-of-Bounds Read Vulnerability" (CWE-125).
  • Actual Mechanism: Kernel Pool Overflow / Arbitrary Write.

The vulnerability stems from a validation bypass that allows an out-of-bounds condition, which the attacker then leverages to perform a heap overflow. The driver performs an OOB check, but the subsequent copy operation is the destructive primitive.

2.2 Vulnerability Root Cause

The root cause resides in the cloud filter mini-driver (clfs.sys), specifically within the handling of NTFS reparse points. The driver processes reparse data through a chain of internal functions:

HsmFltProcessHSMControl
  → HsmFltProcessUpdatePlaceholder
    → HsmiOpUpdatePlaceholderDirectory
      → HsmpRpCommitNoLock

The critical flaw exists in the validation function HsmpRpValidateBuffer. When processing a reparse point buffer, the function iterates through items to validate their integrity. However, the validation logic contains a hard-coded loop limit:

// Pseudo-code representing the vulnerable validation logic
if ((unsigned int)v12 >= 0xA) {
    v15 = 10; // Hard limit: only validate first 10 items
}

If a reparse point contains more than 10 items, the driver only validates the first 10 items (index 0 to 9). Items starting from index 10 are skipped entirely. This creates a validation bypass.

2.3 Exploitation Primitives

  1. Pool Overflow:
    The function HsmpRpCommitNoLock allocates a fixed 0x4000-byte (16KB) paged kernel pool buffer. It then uses memmove to copy reparse items into this buffer. Since items beyond index 9 are not validated, an attacker can construct items with sizes that cause memmove to write past the 0x4000 boundary, corrupting adjacent kernel objects.

  2. Heap Grooming:
    To ensure the overflow corrupts a predictable target, the attacker performs kernel pool grooming:

    • Allocates numerous 0x4000-byte pools using Named Pipes.
    • Freeing every second allocation to create a "gap" pattern.
    • Triggering the vulnerability forces the overflow to land in a specific, controlled location.

  3. Structure Overwrite:
    The groomed heap layout places a PIPE_ATTRIBUTE structure adjacent to the vulnerable buffer. The overflow corrupts the AttributeValue pointer within this structure.

  4. ALPC Arbitrarily R/W:
    The attacker abuses the corrupted pointer via ALPC:

    • Creates multiple ALPC handles using NtAlpcCreateResourceReserve.
    • Leverages the corrupted pointer to force the kernel to allocate a fake _KALPC_RESERVE object.
    • This establishes a primitive for arbitrary kernel memory reads and writes through ALPC message buffers.

  5. Privilege Escalation:
    With arbitrary kernel read/write, the attacker:

    • Reads the process token of the SYSTEM process (e.g., wininit.exe).
    • Overwrites the current process's token with the stolen SYSTEM token.
    • Results in full local privilege escalation.

3. PoC Analysis

The Proof-of-Concept repository for this vulnerability is maintained by zerozenxlabs and provides a detailed technical breakdown of the exploitation path.

Repository Details

⚠️ PoC Code Availability

Important: The repository currently contains only a technical analysis document. It does not include compiled binaries, executable scripts, or code blocks. The PoC author has shared comprehensive reverse-engineering notes, control flow analysis, and exploitation strategies, but no runnable code is present.

Security researchers looking to implement detection or validation must rely on the technical description and behavioral patterns rather than copying exploit code.

4. Exploitation Walkthrough

For analysts reconstructing the attack flow, here is the step-by-step execution sequence derived from the analysis:

  1. Reparse Point Crafting:
    The attacker creates an NTFS reparse point containing a structured buffer with >10 items.

    • Items 0-9: Valid data to pass initial checks.
    • Items 10+: Malicious payload data with inflated sizes.

  2. Trigger Execution:
    The attacker invokes an internal FSCTL dispatch (0xC0000003) against the clfs.sys filter, forcing the driver to process the crafted reparse point.

  3. Validation Bypass:
    Execution reaches HsmpRpValidateBuffer. The loop condition if ((unsigned int)v12 >= 0xA) caps validation at 10 items. Items 11+ are ignored.

  4. Pool Allocation & Overflow:
    HsmpRpCommitNoLock allocates a 0x4000-byte pool. The memmove operation copies the unvalidated items, overflowing the 16KB boundary and corrupting the heap.

  5. Heap Grooming Context:
    Prior to the trigger, the attacker prepared the heap by allocating/freeing Named Pipes to ensure the overflow lands on a PIPE_ATTRIBUTE structure.

  6. Pointer Corruption:
    The overflow overwrites the AttributeValue pointer inside PIPE_ATTRIBUTE with a controlled value pointing to attacker-controlled data.

  7. ALPC Primitive Establishment:
    The attacker creates ALPC handles (NtAlpcCreateResourceReserve). The kernel follows the corrupted pointer, allocating a fake _KALPC_RESERVE structure. This allows the attacker to read/write kernel memory via ALPC messages.

  8. Token Stealing:

    • Read: Locate EPROCESS of SYSTEM, extract token.
    • Write: Locate current process EPROCESS, overwrite token with SYSTEM token.
    • Result: Process now runs as NT AUTHORITY\SYSTEM.

5. Detection & Monitoring

Detecting exploitation of CVE-2023-36424 requires monitoring for the specific kernel primitives and behaviors associated with the attack chain. Since this is a local privilege escalation, network-based detection is ineffective; endpoint and kernel-level monitoring is essential.

5.1 Sigma Rules Concept

While no official Sigma rules have been widely distributed yet, the following detection concepts can be implemented based on the exploitation techniques:

# Detection for suspicious Named Pipe grooming patterns
title: Suspicious Named Pipe Creation for Heap Grooming
id: d8a4c9e2-1f3b-4a5c-9d8e-7f6a5b4c3d2e
status: experimental
description: Detects rapid creation of named pipes, potentially indicating heap grooming.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\svchost.exe'
            - '\\csrss.exe'
        CommandLine|contains:
            - '\\Pipe\\'
    condition: selection and count > 50 within 1m

# Detection for ALPC abuse
title: Abnormal ALPC Resource Reserve Creation
id: f9e8d7c6-b5a4-3c2d-1e0f-9a8b7c6d5e4f
status: experimental
description: Detects excessive ALPC handle creation, potentially part of the arbitrary R/W setup.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\rundll32.exe'
            - '\\cmd.exe'
            - '\\powershell.exe'
        CommandLine|contains:
            - 'Alpc'
    condition: selection

5.2 Behavioral Indicators

  • Kernel Pool Fragmentation Spikes: Monitoring tools capable of tracking paged pool allocation patterns may observe abnormal fragmentation caused by rapid named pipe allocation/freed cycles.
  • BSODs: If the exploitation fails or corrupts critical structures, the system may crash with POOL_CORRUPTION or ATTEMPTED_WRITE_TO_READONLY_MEMORY errors.
  • Privilege Escalation: Monitor for sudden elevation of standard user processes to SYSTEM without administrative intervention.

5.3 YARA Rules for Binary Analysis

Researchers analyzing binaries for the presence of this vulnerability can look for the following signatures in clfs.sys:

rule CVE_2023_36424_Clfs_Vulnerability {
    meta:
        description = "Detects validation bypass pattern in clfs.sys"
        author = "ilovethreats.com"
    strings:
        $s1 = { 83 7C 08 0A 7F ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? }
    condition:
        uint16(0) == 0x5A4D and filesize < 2MB and $s1
}

Note: YARA rules should be validated against specific versions of clfs.sys and may produce false positives.

6. Remediation Guidance

6.1 Patching

The primary remediation is to apply the latest Microsoft security updates. As this vulnerability is listed in the Known Exploited Vulnerabilities (KEV) catalog, patching should be treated with high urgency.

  • Action: Apply the April 2026 cumulative update or the specific out-of-band patch released for CVE-2023-36424.
  • Verification: Confirm the patch level matches the vendor's recommended build for clfs.sys.

6.2 Mitigations

If immediate patching is not possible, consider the following mitigations:

  1. Restrict Administrative Access: Limit the number of users with local administrator privileges to reduce the attack surface.
  2. Application Control: Implement application whitelisting to prevent unauthorized execution of tools that might facilitate the exploitation chain.
  3. Cloud Services: Follow BOD 22-01 guidance for cloud services. Isolate workloads and ensure that no untrusted users have the ability to create reparse points or interact with clfs.sys interfaces.
  4. Discontinue Use: If no mitigations are available and the product cannot be patched, consider discontinuing the use of the affected component or environment until a workaround is identified.

7. References

This analysis was prepared by the security research team at ilovethreats.com. For further questions regarding detection or remediation, please consult your vendor support channels or reach out to our community.

🧪 Lab Environment

A hands-on lab environment for this vulnerability is not yet available. Our automated builder is continuously adding new labs — check back soon!

When available, you'll get:
  • 🔬 A vulnerable target instance to practice exploitation
  • 🖥️ Browser-based Kali Linux with pre-installed tools
  • 🔒 Completely isolated network — no internet access
  • ⏱️ 1-hour session with automatic cleanup