The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a Use After Free, which can result in an arbitrary write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Create target directory Perform a pool spray using pipes Creates two threads to win the race condition and trigger the UAF Use the RtlSetAllBits function to enable all privileges in the current process Inject a new agent into an elevated process to run as SYSTEM Successful exploitation is probabilistic and depends critically on two factors: CLFS internal state: The log container lifecycle must be coerced into the precise sequence that releases a vulnerable structure while references remain accessible. Interruptions (other CLFS activity, antivirus hooks, or system load) can alter timing and invalidate the race window. Pool spray: The density, timing, and size-class alignment of sprayed pipe allocations must closely match the freed allocation slot. Memory fragmentation, other kernel consumers, or spray volume reduce the odds of landing a controlled object in the target slot.
CVE Link
Exploit Platform
Exploit Type
Product Name