Windows CLFS Elevation-of-Privilege Flaws Patched by Microsoft
Microsoft published security advisories for two Windows Common Log File System (CLFS) Driver elevation-of-privilege vulnerabilities, tracked as CVE-2022-37969 and CVE-2023-36424. Both issues affect the CLFS component in Windows and could allow an attacker to gain higher privileges on a targeted system after successful exploitation.
The advisories were released through Microsoft's Security Update Guide and indicate that the flaws were addressed in separate security updates. The repeated appearance of privilege-escalation bugs in the CLFS driver highlights a sensitive Windows kernel-area component that defenders should prioritize for patching and monitoring, especially on endpoints where local code execution could be chained into SYSTEM-level access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2023-36424 CLFS privilege escalation flaw
Microsoft published guidance for CVE-2023-36424, identifying it as a Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Microsoft publishes advisory for CVE-2022-37969 CLFS privilege escalation flaw
Microsoft added CVE-2022-37969 to its Security Update Guide as a Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2023-36424 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2022-37969 - Security Update Guide - Microsoft - Windows Common Log File System Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Windows CLFS Driver Privilege Escalation Flaws
Microsoft disclosed and patched multiple **elevation-of-privilege vulnerabilities** in the **Windows Common Log File System (CLFS) Driver**, including `CVE-2026-40407`, `CVE-2025-62470`, and `CVE-2025-32713`. The most detailed advisory, for `CVE-2026-40407`, describes a **heap-based buffer overflow** (`CWE-122`) that allows a locally authenticated low-privilege attacker to escalate to **SYSTEM** without user interaction. Microsoft rated `CVE-2026-40407` as **Important** with a **CVSS 3.1 score of 7.8**, citing **high** impact to confidentiality, integrity, and availability. The company said the flaw had **not** been publicly disclosed and was **not** being exploited in the wild at the time of publication, assessed exploitation as unlikely, and released an official security update to remediate the issue; the related CLFS advisories indicate a continuing pattern of privilege-escalation risk in this Windows component.
May 25, 2026
Microsoft Patches Windows Privilege Escalation Flaws in CLFS Driver and Winlogon
Microsoft published security updates for multiple Windows local privilege escalation vulnerabilities, including **CVE-2024-49138** in the **Windows Common Log File System (CLFS) Driver** and **CVE-2024-30066** in **Winlogon**. Both issues could allow an attacker who already has access to a target system to elevate privileges, increasing the risk of full system compromise and follow-on activity such as credential theft, defense evasion, or lateral movement. The advisories were released through Microsoft's Security Update Guide and identify the affected components as core parts of Windows used for logging and authentication workflows. Organizations running Windows systems should prioritize applying the relevant Microsoft patches, validate remediation across endpoints and servers, and monitor for signs of post-compromise privilege escalation involving `clfs.sys`, Winlogon, or other abnormal attempts to obtain elevated execution on patched and unpatched hosts.
May 25, 2026
Windows Privilege Escalation Flaws Hit CLFS and Cloud Files Drivers
Microsoft disclosed multiple Windows local privilege escalation vulnerabilities affecting kernel-level drivers, including **Windows Common Log File System (CLFS) Driver** flaws tracked as `CVE-2023-23376` and `CVE-2023-28252`, as well as a **Windows Cloud Files Mini Filter Driver** flaw tracked as `CVE-2025-62454`. All three issues were classified as **Elevation of Privilege** vulnerabilities in Microsoft's Security Update Guide. The advisories indicate that successful exploitation could allow an attacker who already has access to a target system to gain higher privileges through vulnerable Windows driver components. The affected bugs span separate Windows subsystems but share the same core risk: attackers can abuse low-level driver weaknesses to move from limited access toward more powerful control over compromised machines, reinforcing the need to prioritize Microsoft security updates for Windows kernel and file-system-related components.
May 25, 2026