gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

CVE-2025-32701 — CLFS Log Stream Use-After-Free (ITW Zero-Day)

Last updated: 2026-04-28 Component: clfs.sys — Windows Common Log File System Driver Bug Class: Use-after-free (CWE-416) on a CLFS log-stream object Patch: May 13, 2025 Patch Tuesday — KB5058405 / KB5058379 Exploited ITW: Yes — disclosed as a zero-day Discoverer: Not publicly attributed Related: CLFS, Use-After-Free, CVE-2025-29824, CVE-2024-49138 Tags: clfs, uaf, kernel-mode, lpe, itw, zero-day

Summary

Use-after-free in CLFS log-stream object handling, exploited as a zero-day before the May 2025 patch. This is the third actively-exploited CLFS LPE in seven months (CVE-2024-49138 Dec 2024, CVE-2025-29824 Apr 2025, this one May 2025) — the cluster reflects how heavily CLFS is currently being mined by both researchers and operators.

CVSS AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — local, low-privilege, no UI.

Root cause

The driver mismanages references to a CLFS log-stream object. Specific operations on the log file (the writeup cites CreateLogFile / AddLogContainer style entry points) cause premature deallocation; a later operation dereferences the dangling pointer.

Public detail at time of indexing is light on the exact function and object layout. The exploitation pattern below is the well-documented CLFS family playbook.

Exploitation

  1. Trigger through the affected log-create / add-container IOCTL sequence.
  2. Heap-spray the freed slot — predictable object layouts in CLFS make KASLR contingent on a separate leak (or in-pool spraying) but the core technique works without one.
  3. Promote the dangling-pointer dereference into kernel R/W via IORING or WNF cross-allocation.
  4. Token steal.

Tracker writeups note a similarity in indicators to the earlier CLFS ITW chains (Storm-2460 / RansomEXX / Nokoyawa-style precursors).

Detection

  • CLFS log file creations followed by abnormal allocation of WNF state-data or IrRB (RegBuffers) tags in the same paged-pool slot.
  • SYSTEM token assignment to a process that opened CLFS handles in the preceding seconds.
  • The CLFS HMAC mitigation (CLFS Authentication) does not prevent post-handle UAFs of this kind.

References

  • ZeroPath — Windows CLFS Driver Zero-Day CVE-2025-32701: Privilege Escalation in the Wildhttps://zeropath.com/blog/windows-clfs-zero-day-cve-2025-32701
  • Tenable — Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)
  • Microsoft MSRC — CVE-2025-32701 advisory
  • Wiz Vulnerability Database — CVE-2025-32701