CVE-2022-35803
Common Log File System, type confusion via incomplete CVE-2022-24481 patch
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Type Confusion (Patch Bypass) |
| Exploited ITW | Yes |
| CVSS | 7.8 |
The Story
CVE-2022-35803 is a patch bypass, and it tells the story of incremental CLFS fixes better than any architectural analysis could. Microsoft patched CVE-2022-24481 by adding validation to one code path in CLFS's base log file parsing. They missed a second path reachable through CClfsLogFcbPhysical::GetContainerForLsn. The same underlying type confusion still exists; only the entry point changed.
Ransomware operators discovered the bypass and adopted it after the incomplete patch left the second code path exposed. The vulnerability has the same impact as its predecessor: a crafted BLF file causes the driver to misinterpret a metadata structure, and the GetContainerForLsn gadget provides a read/write primitive through the confused object.
From Bypass to SYSTEM
The exploitation follows the same pattern established by CVE-2022-24521. The type confusion through GetContainerForLsn provides a controlled write primitive. The attacker uses this to decrement PreviousMode to zero, then proceeds with NtReadVirtualMemory and NtWriteVirtualMemory for arbitrary kernel access. Token swap for SYSTEM completes the chain.
The fact that ransomware operators could transition from the patched CVE-2022-24481 to CVE-2022-35803 with minimal retooling demonstrates the stability of the CLFS exploitation playbook: the specific bug changes, but the exploitation flow remains nearly identical.
Patch Analysis
The fix extends the validation added for CVE-2022-24481 to cover the CClfsLogFcbPhysical::GetContainerForLsn code path. Type checks now validate the metadata structure interpretation before the container lookup proceeds.
Broader Significance
CVE-2022-35803 is the canonical example of the incomplete patch problem in complex kernel subsystems. When the attack surface has multiple code paths reaching the same vulnerable logic, patching one path while missing another creates a variant that attackers can find through targeted diffing. For CLFS specifically, this CVE demonstrated that incremental patching of individual code paths was not keeping up with the rate at which researchers and threat actors found new paths to the same underlying bugs. This realization contributed to Microsoft's eventual CLFS Isolation hardening effort in Windows 11 24H2.