Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Windows Common Log File System Driver Out-of-Bounds Read Privilege Escalation

IdentifiersCVE-2023-36424CWE-125· Out-of-bounds Read

CVE-2023-36424 is an elevation of privilege vulnerability in the Microsoft Windows Common Log File System (CLFS) driver. The issue is described as an out-of-bounds read caused by improper validation of memory read boundaries in the CLFS driver. A local attacker can trigger the flaw from a low-integrity, unprivileged context and exploit it to elevate privileges on the affected Windows system. Public reporting in the provided content states Microsoft patched the issue in November 2023 and that CISA later added it to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows privilege escalation to SYSTEM, yielding complete administrative control over the compromised host. With SYSTEM-level access, an attacker can disable or terminate security tooling, access sensitive data, install persistence mechanisms, deploy secondary payloads, and use the host for further lateral movement. The vulnerability is particularly valuable in multi-stage intrusion chains after initial access has already been obtained.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, prioritize exposure reduction on systems where local attacker access is plausible, aggressively monitor Windows systems for suspicious post-compromise behavior, and follow Microsoft's published mitigations if available. CISA guidance in the provided content recommends applying all vendor mitigations, following applicable BOD 22-01 guidance for cloud-hosted systems, and discontinuing use of affected products if no patch or effective mitigation is available.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates that address CVE-2023-36424; the provided content states Microsoft patched the vulnerability in November 2023. Organizations should prioritize patching on affected Windows endpoints and servers, especially because the flaw has been added to CISA's KEV catalog and is reported as actively exploited. Follow Microsoft's official vendor guidance for the relevant Windows versions in use.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2023-36424MaturityPoCVerified exploit

This repository contains a working exploit for CVE-2023-36424, a local privilege escalation vulnerability in the Windows kernel driver clfs.sys (version 10.0.22621.2134) on Windows 11 22H2 (build 22621.2215). The exploit is implemented in C++ (polpol.cpp) and leverages a pool overflow in the clfs.sys mini filter driver, triggered via a specially crafted NTFS reparse point. The exploit manipulates kernel memory to overwrite a process token, allowing the attacker to spawn a SYSTEM shell (cmd.exe). The repository includes Visual Studio project files for building the exploit, as well as a detailed README.md with technical analysis and exploitation steps. The main attack vector is local, requiring the attacker to execute code on the target system. No network endpoints are involved. The exploit is operational and provides a SYSTEM shell if successful.

zerozenxlabsDisclosed Mar 21, 2024cpplocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 21h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2008 R2operating_system
Microsoft CorporationWindows Server 2008 Sp2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app
scworldNews
Apr 14, 2026
Active exploitation of old Microsoft bugs prompt CISA catalog inclusion | brief | SC Media

A Windows Common Log File System Driver vulnerability that could facilitate privilege escalation.

Read more
cyber security newsNews
Apr 14, 2026
CISA Warns of Microsoft Exchange and Windows CLFS Vulnerabilities Exploited in Attacks

A local privilege escalation vulnerability in the Microsoft Windows Common Log File System (CLFS) driver caused by an out-of-bounds read.

Read more
security affairsNews
Apr 14, 2026
U.S. CISA adds Adobe, Fortinet, Microsoft Windows, Microsoft Exchange Server flaws to its Known Exploited Vulnerabilities catalog

An out-of-bounds read vulnerability affecting Microsoft Windows.

Read more
the hacker newsNews
Apr 14, 2026
CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-36424
NVD
nvd.nist.gov/vuln/detail/CVE-2023-36424
MITRE CWE · CWE-125
Out-of-bounds Read
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36424