High

Windows CLFS Driver Elevation of Privilege

IdentifiersCVE-2024-38196CWE-252

CVE-2024-38196 is a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver, reported as affecting Windows 11 23H2. The flaw is described in the CLFS code path CClfsBaseFilePersisted::WriteMetadataBlock, which does not check the return value of ClfsDecodeBlock. According to the provided analysis, a crafted CLFS metadata block can cause ClfsDecodeBlock to return STATUS_LOG_BLOCK_INVALID while leaving the block encoded. Because sector-end tags remain in place, subsequent processing can corrupt adjacent CLFS metadata and internal structures. The write-up states an attacker can forge a CRC32 value of 0xffffffff to prevent proper decoding, manipulate the .blf metadata layout so CLFS client and container contexts overlap, and redirect a container pointer to a user-controlled fake CClfsContainer object. The exploit chain then uses the resulting kernel memory corruption to alter the current thread's PreviousMode and obtain arbitrary kernel read/write via NtReadVirtualMemory and NtWriteVirtualMemory, culminating in SYSTEM-level code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker to elevate privileges from a normal user context to SYSTEM. The provided content indicates the bug can be used to corrupt kernel-resident CLFS structures, redirect execution through attacker-controlled data, leak kernel addresses, and ultimately modify token privileges. This enables full compromise of the affected host, including arbitrary kernel memory access, privilege escalation, and spawning a SYSTEM shell. The content also notes the vulnerability can leak a kernel pool address, which may assist in bypassing planned NtQuerySystemInformation-related mitigations on newer Windows versions.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce opportunities for local code execution by limiting untrusted code execution on endpoints, enforcing application control, and restricting user ability to run arbitrary binaries. Monitor for suspicious CLFS-related activity such as unusual creation or modification of CLFS log/metadata files, anomalous use of CLFS APIs including CreateLogFile and SetLogArchiveMode, and post-exploitation behaviors such as unexpected NtReadVirtualMemory/NtWriteVirtualMemory access to kernel memory. Because this is a local privilege escalation issue, strong prevention of initial access and execution materially reduces risk.

Remediation

Patch, then assume compromise.

Apply the Microsoft security update that addresses CVE-2024-38196 for affected Windows versions. Because the vulnerability is in the CLFS driver and is exploited through malformed CLFS metadata handling, remediation requires the vendor fix that correctly validates and handles the ClfsDecodeBlock result in the vulnerable path and prevents malformed metadata from corrupting internal CLFS structures. If patch availability for a specific build is unclear, follow Microsoft's latest guidance for cumulative updates covering CVE-2024-38196.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 10 1507operating_system

Microsoft CorporationWindows 10 1607operating_system

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 21h2operating_system

Microsoft CorporationWindows 11 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows 11 24h2operating_system

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Server 2008 R2operating_system

Microsoft CorporationWindows Server 2008 Sp2operating_system

Microsoft CorporationWindows Server 2012operating_system

Microsoft CorporationWindows Server 2012 R2operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the hacker newsNews

Aug 7, 2025

SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others

A local privilege escalation (LPE) vulnerability exploited by the Raspberry Robin malware to obtain elevated privileges on compromised Windows systems.

ssd disclosureNews

Oct 23, 2024

SSD Advisory - Common Log File System (CLFS) driver PE - SSD Secure Disclosure

A Windows 11 Common Log File System (CLFS) local privilege escalation vulnerability caused by CClfsBaseFilePersisted::WriteMetadataBlock not checking the return value of ClfsDecodeBlock, enabling corruption of internal CLFS structures and kernel pool address leakage.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-38196

NVD

nvd.nist.gov/vuln/detail/CVE-2024-38196

MITRE CWE · CWE-252

cwe.mitre.org

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38196