New Windows CLFS Driver Vulnerability Enables Low-Privilege DoS Attacks
A proof-of-concept (PoC) exploit has been released for CVE-2026-2636, a newly disclosed vulnerability in Windows’ Common Log File System (CLFS) driver that allows any unprivileged user to trigger an unrecoverable Blue Screen of Death (BSoD) on affected systems. Discovered by Ricardo Narvaja of Fortra, the flaw is classified as a Denial-of-Service (DoS) issue with a CVSS base score of 5.5.
The vulnerability stems from improper flag validation in the CLFS!CClfsRequest::ReadLogPagingIo function within CLFS.sys (tested on version 10.0.22621.5037). When a specific sequence of Windows API calls is executed, the driver processes an I/O Request Packet (IRP) with critical flags IRP_PAGING_IO (0x02) and IRP_INPUT_OPERATION disabled, leading to an incorrect execution path that invokes nt!KeBugCheckEx, the kernel’s panic handler.
The exploit requires just two API calls: CreateLogFile to obtain a .blf log file handle, followed by ReadFile on the same handle. Since ReadFile is not designed to operate on CLFS log handles in this context, the driver fails to handle the request, resulting in a deterministic kernel crash. The attack can be executed without elevated privileges, making it particularly dangerous in multi-user or enterprise environments.
Microsoft has silently patched the vulnerability in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025, with Windows 25H2 shipping with the fix pre-applied. However, Windows 11 23H2 and earlier versions remain unpatched and vulnerable.
This flaw follows a pattern of recurring CLFS driver vulnerabilities, including CVE-2022-37969, CVE-2023-28252, CVE-2024-6768, and CVE-2025-29824, some of which have been exploited in ransomware attacks. Organizations running unpatched systems are advised to prioritize updates, particularly in environments where system availability is critical.
Source: https://cybersecuritynews.com/windows-vulnerability-bsod-crashes/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1772102826",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "9/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users of Windows 11 23H2 and '
'earlier, Windows Server 2025 '
'(unpatched)',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft Windows',
'size': 'Enterprise',
'type': 'Operating System'}],
'attack_vector': 'Local',
'date_resolved': '2025-09',
'description': 'A proof-of-concept (PoC) exploit has been released for '
'CVE-2026-2636, a newly disclosed vulnerability in Windows’ '
'Common Log File System (CLFS) driver that allows any '
'unprivileged user to trigger an unrecoverable Blue Screen of '
'Death (BSoD) on affected systems. The flaw stems from '
'improper flag validation in the '
'CLFS!CClfsRequest::ReadLogPagingIo function within CLFS.sys, '
'leading to a deterministic kernel crash when specific API '
'calls are executed. The attack can be performed without '
'elevated privileges, posing risks in multi-user or enterprise '
'environments.',
'impact': {'downtime': 'Unrecoverable system crash (BSoD)',
'operational_impact': 'System unavailability, potential disruption '
'in enterprise environments',
'systems_affected': 'Windows 11 23H2 and earlier, Windows Server '
'2025 (unpatched)'},
'investigation_status': 'Patched',
'lessons_learned': 'Recurring CLFS driver vulnerabilities highlight the need '
'for proactive patch management and system hardening, '
'especially in environments where system availability is '
'critical.',
'post_incident_analysis': {'corrective_actions': 'Microsoft silently patched '
'the vulnerability in the '
'September 2025 cumulative '
'update for Windows 11 2024 '
'LTSC and Windows Server '
'2025.',
'root_causes': 'Improper flag validation in '
'CLFS!CClfsRequest::ReadLogPagingIo '
'function within CLFS.sys, leading '
'to incorrect IRP handling and '
'kernel panic.'},
'recommendations': 'Organizations should prioritize applying the September '
'2025 cumulative update for Windows 11 2024 LTSC and '
'Windows Server 2025. Unpatched systems (Windows 11 23H2 '
'and earlier) should be updated immediately to mitigate '
'the risk of DoS attacks.',
'references': [{'source': 'Fortra (Ricardo Narvaja)'},
{'source': 'Microsoft Security Update Guide'}],
'response': {'containment_measures': 'Patch deployment (September 2025 '
'cumulative update)',
'remediation_measures': "Apply Microsoft's September 2025 "
'cumulative update for Windows 11 2024 '
'LTSC and Windows Server 2025'},
'title': 'New Windows CLFS Driver Vulnerability Enables Low-Privilege DoS '
'Attacks',
'type': 'Denial-of-Service (DoS)',
'vulnerability_exploited': 'CVE-2026-2636 (Improper flag validation in '
'CLFS.sys)'}