Microsoft Patches Multiple Windows CLFS Driver Privilege Escalation Flaws
Microsoft disclosed and patched multiple elevation-of-privilege vulnerabilities in the Windows Common Log File System (CLFS) Driver, including CVE-2026-40407, CVE-2025-62470, and CVE-2025-32713. The most detailed advisory, for CVE-2026-40407, describes a heap-based buffer overflow (CWE-122) that allows a locally authenticated low-privilege attacker to escalate to SYSTEM without user interaction.
Microsoft rated CVE-2026-40407 as Important with a CVSS 3.1 score of 7.8, citing high impact to confidentiality, integrity, and availability. The company said the flaw had not been publicly disclosed and was not being exploited in the wild at the time of publication, assessed exploitation as unlikely, and released an official security update to remediate the issue; the related CLFS advisories indicate a continuing pattern of privilege-escalation risk in this Windows component.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses and patches CVE-2026-40407
Microsoft disclosed CVE-2026-40407, a heap-based buffer overflow in the Windows Common Log File System Driver that could let a low-privileged local attacker gain SYSTEM privileges. Microsoft rated it Important with a CVSS 7.8 score and said it was neither publicly disclosed nor exploited in the wild at the time of publication, with a fix available.
Microsoft releases fix for CVE-2025-62470 in Windows CLFS Driver
Microsoft published a Security Update Guide entry for CVE-2025-62470, identifying another elevation-of-privilege vulnerability in the Windows Common Log File System Driver and making an official update available.
Microsoft releases fix for CVE-2025-32713 in Windows CLFS Driver
Microsoft published a Security Update Guide entry for CVE-2025-32713, an elevation-of-privilege vulnerability in the Windows Common Log File System Driver, indicating the issue was addressed as part of its June 2025 security updates.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40407 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62470 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-32713 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows CLFS Elevation-of-Privilege Flaws Patched by Microsoft
Microsoft published security advisories for two **Windows Common Log File System (CLFS) Driver** elevation-of-privilege vulnerabilities, tracked as **`CVE-2022-37969`** and **`CVE-2023-36424`**. Both issues affect the CLFS component in Windows and could allow an attacker to gain higher privileges on a targeted system after successful exploitation. The advisories were released through Microsoft's Security Update Guide and indicate that the flaws were addressed in separate security updates. The repeated appearance of privilege-escalation bugs in the **CLFS driver** highlights a sensitive Windows kernel-area component that defenders should prioritize for patching and monitoring, especially on endpoints where local code execution could be chained into **SYSTEM-level** access.
Jun 23, 2026
Microsoft Patches Windows Privilege Escalation Flaws in CLFS Driver and Winlogon
Microsoft published security updates for multiple Windows local privilege escalation vulnerabilities, including **CVE-2024-49138** in the **Windows Common Log File System (CLFS) Driver** and **CVE-2024-30066** in **Winlogon**. Both issues could allow an attacker who already has access to a target system to elevate privileges, increasing the risk of full system compromise and follow-on activity such as credential theft, defense evasion, or lateral movement. The advisories were released through Microsoft's Security Update Guide and identify the affected components as core parts of Windows used for logging and authentication workflows. Organizations running Windows systems should prioritize applying the relevant Microsoft patches, validate remediation across endpoints and servers, and monitor for signs of post-compromise privilege escalation involving `clfs.sys`, Winlogon, or other abnormal attempts to obtain elevated execution on patched and unpatched hosts.
May 25, 2026
Windows Privilege Escalation Flaws Hit CLFS and Cloud Files Drivers
Microsoft disclosed multiple Windows local privilege escalation vulnerabilities affecting kernel-level drivers, including **Windows Common Log File System (CLFS) Driver** flaws tracked as `CVE-2023-23376` and `CVE-2023-28252`, as well as a **Windows Cloud Files Mini Filter Driver** flaw tracked as `CVE-2025-62454`. All three issues were classified as **Elevation of Privilege** vulnerabilities in Microsoft's Security Update Guide. The advisories indicate that successful exploitation could allow an attacker who already has access to a target system to gain higher privileges through vulnerable Windows driver components. The affected bugs span separate Windows subsystems but share the same core risk: attackers can abuse low-level driver weaknesses to move from limited access toward more powerful control over compromised machines, reinforcing the need to prioritize Microsoft security updates for Windows kernel and file-system-related components.
May 25, 2026