Microsoft Windows CLFS, use-after-free elevation of privilege

Overview

CVE-2025-32701 is a use-after-free (CWE-416) in the Windows Common Log File System (CLFS) driver, clfs.sys. CLFS is a general-purpose kernel logging subsystem used by many Windows components and by third-party software for transactional logging. The driver frees a kernel object but retains and later dereferences a stale pointer to it; an attacker who has caused the freed memory to be reallocated with controlled contents can hijack that dereference to execute code in kernel mode, elevating from a low-privileged account to SYSTEM. Microsoft rated the issue Important with a CVSS 3.1 base score of 7.8 and confirmed it was exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on 13 May 2025.

CLFS has been a recurring source of in-the-wild privilege-escalation zero-days, and this CVE was one of several actively exploited flaws fixed in the May 2025 Patch Tuesday release. Such bugs are prized by ransomware operators and intrusion crews because they convert any foothold into full kernel control on an already-compromised host.

Technical Details

The vulnerability follows the classic use-after-free pattern. During CLFS log-file operations, a structure is freed, but a reference to it survives, often because of a missing reference count, an unsynchronised callback, or an error path that releases an object still in use. By racing or sequencing log operations, an attacker frees the object and then sprays the kernel pool so the same allocation is reclaimed by data they control. When the driver follows the dangling pointer, it operates on attacker-shaped memory, typically yielding a controlled write or a hijacked function pointer that pivots into kernel-mode code execution.

The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects a local attack (AV:L) that requires the attacker to already be authenticated with low privileges (PR:L) and needs no user interaction (UI:N). This is the canonical second-stage primitive: malware, a malicious insider, or an attacker who landed via phishing or a web exploit uses it to escape a low-integrity context and seize SYSTEM, after which they can disable security tooling, install drivers, and persist.

Impact

• Local elevation from any authenticated low-privileged account to SYSTEM, the highest privilege level on the host.
• Kernel-mode code execution, enabling tampering with or disabling EDR/AV, loading unsigned or malicious drivers, and deep persistence.
• A reliable post-compromise step in ransomware and hands-on-keyboard intrusions, turning a single user foothold into full machine control.
• Universal exposure across supported Windows 10, Windows 11, and Windows Server editions, including ESU-covered legacy servers.

Mitigation

1. Install the May 2025 (or any later) cumulative security update on every affected system. Confirmed packages include KB5058405 for the affected Windows Server / Windows 11 servicing branches and KB5058379 for Windows 10 version 22H2 / 21H2; apply the matching cumulative update for each remaining build.
2. For Windows 11 24H2, 23H2, and 22H2, Windows Server 2025, Server 2022 (including 23H2), Server 2019, and Server 2016, deploy the corresponding May 2025 cumulative update or monthly rollup named in the MSRC Security Updates table for CVE-2025-32701; for Server 2012/2012 R2 and 2008/2008 R2, apply the relevant Extended Security Update.
3. Reboot after installation and confirm the OS build advanced to the May 2025 servicing level so clfs.sys is replaced with the fixed version.
4. Prioritise internet-facing servers, multi-user systems (RDS/Citrix hosts), and any machine where untrusted code may run, since those maximise the value of a local-to-SYSTEM escape.
5. Enforce least privilege and strong application control (WDAC or AppLocker) to limit an attacker's ability to land the low-privilege foothold the exploit depends on, and keep EDR tamper protection enabled.

Detection

Because the bug delivers SYSTEM, the most reliable detection is behavioural: watch for a process that suddenly runs as SYSTEM or NT AUTHORITY without a legitimate parent. In EDR data, alert on token-elevation or process-integrity transitions where a child started by a standard user ends up at SYSTEM integrity, and on classic post-escalation actions, new service creation, driver loads via the kernel service control path, scheduled tasks installed as SYSTEM, or LSASS credential access immediately after the elevation.

CLFS exploitation often touches the file system: monitor for creation of .blf base log files and associated CLFS container files in unusual user-writable directories, especially when followed by anomalous behaviour from the creating process. Sysmon event ID 11 (file create) for .blf artifacts in temp or profile paths, correlated with event ID 1 (process create) for an unexpected SYSTEM-context child, is a strong composite indicator. Map alerts to ATT&CK T1068 (exploitation for privilege escalation).

Kernel stability telemetry is valuable for catching unreliable exploit attempts. A failed use-after-free frequently bugchecks the system; look for clusters of clfs.sys-attributed crashes or pool-corruption Stop codes (for example 0x19 BAD_POOL_HEADER or 0xC2 BAD_POOL_CALLER) in WER and minidump data, and forward kernel dumps centrally so an analyst can confirm the faulting module. Repeated crashes on the same host around the time of suspicious logins are worth a manual hunt.

Finally, treat patch state as a detection input. Run authenticated scans (Tenable, Rapid7, Qualys all key plugins to KB5058405 / KB5058379) and surface any host still missing the May 2025 update, then cross-reference against EDR for signs of low-privileged code execution. Microsoft Defender and other vendors ship behavioural detections for known CLFS exploit families; ensure those signatures are current and that tamper protection is on, since disabling the agent is a common first move once SYSTEM is obtained. For a defensible audit trail, retain process-creation, file-create, and crash telemetry long enough to support retrospective hunts, because CLFS zero-days are frequently used quietly for weeks before the underlying flaw is disclosed and patched.