CVE-2022-24521
Common Log File System, rgClients PreviousMode decrement via crafted BLF metadata
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Logical Error / Out-of-Bounds Write |
| Exploited ITW | Yes |
| CVSS | 7.8 |
The Story
Reported jointly by the NSA and CrowdStrike, CVE-2022-24521 was being exploited as a zero-day by multiple ransomware operators starting around June 2022. The combination of reporters (a signals intelligence agency and a leading threat intelligence firm) signals how serious the in-the-wild activity was. This is the CLFS vulnerability that demonstrated how a file format parsing bug in a logging subsystem could become a standard ransomware escalation primitive.
What Happens When You Open the Crafted BLF
The vulnerability sits in how CLFS handles the rgClients array inside base log file (BLF) metadata. When a user opens a crafted .blf file via CreateLogFile, the driver parses on-disk client context records without properly validating their offsets or values. A specially constructed BLF can set rgClients[0] to a value that, when processed by the CLFS parsing logic, causes the driver to decrement the calling thread's PreviousMode from UserMode (1) to KernelMode (0).
This is an extraordinarily clean primitive. Once PreviousMode is zeroed, the thread's subsequent calls to NtReadVirtualMemory and NtWriteVirtualMemory bypass all user/kernel address checks, because the kernel treats the caller as originating from kernel mode.
From BLF to SYSTEM
The PreviousMode flip gives an immediate arbitrary read/write primitive over the entire kernel address space, with no additional exploitation steps needed. The attacker reads the current process's EPROCESS token pointer, then overwrites it with a copy of the SYSTEM token. No pool spray needed. No heap shaping needed. The decrement itself is the primitive.
The full chain: drop a crafted .blf file to a user-writable directory, call CreateLogFile to trigger the rgClients parsing, PreviousMode drops to zero, then NtWriteVirtualMemory performs the token swap. The reliability and simplicity of this chain explains why multiple ransomware groups adopted it rapidly.
Patch Analysis
The fix adds validation of rgClients array entries during BLF metadata parsing, rejecting client context records whose offsets would produce writes outside the metadata buffer. The patch also adds explicit bounds checking on the fields used to compute the decrement target.
Broader Significance
CVE-2022-24521 is the CVE that established CLFS as a preferred ransomware escalation vector. Before this, CLFS bugs existed but were not widely exploited at scale. After this, ransomware groups recognized the pattern: craft a BLF, trigger a parsing bug, get a kernel primitive. The subsequent CLFS CVEs (CVE-2022-37969, CVE-2023-23376, CVE-2023-28252) all followed the same playbook, exploited by the same class of threat actors. See the CLFS Deep Dive for the full pattern analysis.