CVE-2025-60709 — CLFS Container Parsing OOB Read → Arbitrary Write

Last updated: 2026-04-28 Component: clfs.sys — Windows Common Log File System Driver Bug Class: Out-of-bounds read (CWE-125) escalating to arbitrary kernel write Patch: November 2025 Patch Tuesday Exploited ITW: No public attribution at index time Discoverer: Not publicly disclosed Related: CLFS, CVE-2025-32701, CVE-2025-29824, CVE-2024-49138, CVE-2026-20820 Tags: clfs, oob-read, kernel-mode, lpe

Summary

CLFS again. Improper validation of attacker-controlled fields during container parsing leads to an out-of-bounds read; the OOB read feeds into a downstream code path that produces an arbitrary write into kernel memory. Standard user → SYSTEM.

This is the same logical shape as CVE-2026-20820 (ScanContainers missing the 0x38 CLS_SCAN_CONTEXT header) — an arithmetic / bounds bug during the metadata walk over containers. The November 2025 advisory describes CWE-125, but the public escalation path lands an arbitrary write primitive.

Root cause

The vulnerable code lives in CLFS’s container-info parsing. User-supplied fields (likely ContainerCount, container offset, or a similar BLF-side value) escape validation; the kernel reads past the allocated buffer. The OOB-read content then drives a later allocation or pointer arithmetic that becomes a write-what-where.

Detailed function names and offsets are not public at time of indexing. The structures involved (CLS_CONTAINER_INFORMATION, CLS_SCAN_CONTEXT) are documented on the CLFS page.

Exploitation (expected pattern)

The CLFS family pattern continues to apply:

1. Trigger the buggy parse via an IOCTL or BLF metadata operation.
2. Use the OOB read to leak a kernel address (KASLR break) and / or place a primitive in attacker-controlled paged-pool slots.
3. Land the arbitrary write — either flipping KTHREAD.PreviousMode, swapping a _TOKEN, or piloting an IORING RegBuffers entry to user space.
4. Token steal.

Affected versions

Windows 10 / 11 (multiple builds), Windows Server 2008–2025. Patch in November 2025 cumulative updates.

References

• KONDORDEVSECURITYCORP — CVE-2025-60709: Windows CLFS LPE PoC — https://github.com/KONDORDEVSECURITYCORP/CVE-2025-60709
• Wiz Vulnerability Database — CVE-2025-60709
• NVD — CVE-2025-60709 detail
• Microsoft MSRC — CVE-2025-60709 advisory
• Family pages: CLFS, CVE-2026-20820