CVE-2022-35803
Common Log File System -- type confusion via incomplete CVE-2022-24481 patch
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Type Confusion (Patch Bypass) |
| Exploited ITW | Yes |
| CVSS | 7.8 |
Root Cause
This is a bypass of the incomplete fix for CVE-2022-24481. The original patch added validation to one code path in CLFS's base log file parsing, but missed a second path reachable through CClfsLogFcbPhysical::GetContainerForLsn. The same underlying type confusion still exists: a crafted BLF file causes the driver to misinterpret a metadata structure, and the GetContainerForLsn gadget provides a read/write primitive through the confused object.
The exploit uses the same PreviousMode technique as CVE-2022-24521 -- once the confused object gives a controlled write, the attacker decrements PreviousMode to zero and proceeds with NtReadVirtualMemory/NtWriteVirtualMemory for arbitrary kernel access.
Exploitation
Same pattern as the earlier CLFS ransomware exploits. The type confusion through GetContainerForLsn provides a write primitive, which is used to flip PreviousMode and then perform a token swap for SYSTEM. Ransomware operators adopted this variant after the incomplete CVE-2022-24481 patch left the second code path exposed.
Patch Analysis
The fix extends the validation added for CVE-2022-24481 to cover the CClfsLogFcbPhysical::GetContainerForLsn code path. Type checks now validate the metadata structure interpretation before the container lookup proceeds.