Elevation of Privilege in Windows Common Log File System Driver
CVE-2026-20820 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver. According to the provided content, the flaw allows an authorized attacker to elevate privileges locally, and Microsoft rated it 7.8 CVSS and flagged it as more likely to be exploited. The vulnerability affects the CLFS driver in Windows and arises from a heap-based buffer overflow condition, which can be leveraged by a local attacker to corrupt memory in kernel-context code paths and obtain higher privileges, up to SYSTEM.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a minimal local Windows proof-of-concept for CVE-2026-20820 targeting CLFS behavior. The repository contains only three files: a .gitattributes file, a short README with tested Windows versions and build environment notes, and a single C++ PoC at poc/poc.cpp. The code is standalone and not part of a larger exploit framework. The PoC uses Windows CLFS APIs from clfsw32.lib. In wmain, it creates a CLFS log named "LOG:minpoc", adds a 1 MB container named "mincont", queries the system page size, allocates two pages of writable memory, and places a 576-byte crafted buffer so it straddles a page boundary. It initializes specific offsets in that buffer and then calls DeviceIoControl on the CLFS log handle with IOCTL 0x80076816, intentionally supplying the crafted buffer as the output buffer. The comments and structure indicate the goal is to trigger an out-of-bounds write or similar memory corruption condition in the CLFS handling path. There is no post-exploitation logic, no shellcode, no network communication, and no persistence behavior. The exploit capability is limited to local vulnerability triggering / crash reproduction and possibly primitive kernel memory corruption validation. The README suggests the author validated or intended the PoC for specific Windows 10 and Windows 11 builds using Visual Studio 2022 and Windows SDK 10.0.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows CLFS driver elevation of privilege vulnerability assessed as 'Exploitation More Likely' by Microsoft; no exploitation reported in the content.
An elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) driver that Microsoft assessed as more likely to be exploited.
A local elevation of privilege vulnerability in the Windows CLFS driver due to a heap-based buffer overflow, potentially enabling SYSTEM escalation.
A Windows Common Log File System (CLFS) Driver elevation-of-privilege (EoP) vulnerability that Microsoft rates as more likely to be exploited.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.