gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

CVE-2025-30385 — CLFS Driver Use-After-Free

Last updated: 2026-04-28 Component: clfs.sys — Windows Common Log File System Driver Bug Class: Use-after-free (CWE-416) Patch: May 2025 Patch Tuesday — KB5058411 (client) / KB5058405 (server) Exploited ITW: No public attribution; aligned with the broader CLFS exploitation cluster Discoverer: Not publicly disclosed Related: CLFS, Use-After-Free, CLFS Authentication Tags: clfs, uaf, kernel-mode, lpe

Summary

Another use-after-free in clfs.sys — the same component that produced CVE-2025-29824 (April 2025, ITW), CVE-2024-49138 (Dec 2024, ITW), CVE-2023-28252 (Apr 2023, ITW), CVE-2023-23376 (Feb 2023, ITW), and earlier. CLFS continues to be the dominant LPE surface on Windows.

Root cause

CLFS handles in-memory pointers to BLF structures across IRP lifetimes. The vulnerable code path frees a CLFS log object (likely a CClfsLogCcb-style refcount-tracked object given the family) but a stale pointer lingers along a less-trodden code path. A subsequent IOCTL dereferences the dangling pointer.

Without an authoritative public root-cause writeup at time of indexing, the precise object and code path aren’t pinned down here. The pattern matches the prior CLFS UAFs cataloged on this wiki — see CLFS for the structures involved and the historical exploit primitives.

Exploitation (expected pattern)

The CLFS exploitation playbook on Windows 11 24H2+ converges on:

  1. Trigger the UAF via the offending IOCTL.
  2. Spray the freed slot with a controllable object (WNF state-data, pipe attributes, _IOP_MC_BUFFER_ENTRY).
  3. Promote to kernel R/W via IORING or WNF-corruption primitives — see Primitives.
  4. Token steal.

Indicators noted in vendor writeups: dllhost.exe spawning unusual children (e.g. winlogon.exe); processes loading CLFS modules outside expected workloads.

Detection

  • CLFS log-file operations from low-privilege processes followed shortly by SYSTEM-token elevation.
  • Refer to the family hardening: enable CLFS Authentication where supported (HMAC + Merkle tree on BLF files), which blocks the BLF-crafting class but not all post-handle UAFs.

References