Researchers detailed exploitation of two Windows Cloud Files Mini Filter Driver vulnerabilities in cldflt.sys—CVE-2021-31969 and CVE-2024-30085—that allow local attackers to escalate privileges to NT AUTHORITY\SYSTEM through kernel heap corruption. In the older bug, a missing lower-bound validation in HsmpRpiDecompressBuffer caused an integer underflow that led to a controlled paged-pool overflow during RtlDecompressBuffer processing. The issue affected Windows 10 1809-21H2 and Windows Server 2019, and could be triggered by registering a sync root, planting crafted cloud-file reparse data in a directory, and invoking filesystem operations such as opening a handle to that directory.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft released a security update for CVE-2025-50170, a high-severity local privilege escalation flaw in cldflt.sys caused by a logic error during placeholder file creation. According to STAR Labs, the bug lets a low-privileged local attacker corrupt arbitrary files and potentially achieve SYSTEM-level code execution on affected Windows 10, Windows 11, and Windows Server systems.
STAR Labs published a detailed exploit write-up for CVE-2024-30085 describing how two heap overflows against WNF-related objects can be chained to leak kernel pointers, gain arbitrary read/write, and overwrite token privileges to spawn a SYSTEM shell. The analysis ties the bug to crafted cloud-file reparse point data in the Windows Cloud Files Mini Filter Driver.
Microsoft addressed CVE-2024-30085, a heap-based buffer overflow in cldflt.sys, in Windows 10 22H2 update KB5039211 by adding a check to ensure the attacker-controlled copy size does not exceed the 0x1000-byte allocation. The flaw could be triggered through crafted cloud-file reparse point data to achieve local privilege escalation.
STAR Labs released a technical analysis showing how CVE-2021-31969 can be exploited via crafted reparse data, filesystem-triggered decompression, and paged-pool corruption to obtain arbitrary read/write and steal the SYSTEM token. The write-up also notes the exploit was unreliable, succeeding roughly once every 15 attempts and often destabilizing the system.
Microsoft fixed CVE-2021-31969, an elevation-of-privilege flaw in the Windows Cloud Files Mini Filter Driver caused by missing lower-bound validation that could lead to a kernel pool overflow and SYSTEM-level code execution. The STAR Labs write-up identifies the bug as affecting Windows 10 1809-21H2 and Windows Server 2019.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
starlabs.sg
Open sourcestarlabs.sg
Open sourcestarlabs.sg
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.