CVE-2022-37969

Common Log File System, SignaturesOffset OOB write via corrupted cbSymbolZone

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field	Value
Driver	`clfs.sys`
Vulnerability Class	Buffer Overflow / Bounds Check
Vulnerable Build	`10.0.22621.1` (RTM)
Fixed Build	`10.0.22621.521` (KB5019509)
Exploited ITW	Yes

The Story

CVE-2022-37969 was the first widely publicized CLFS in-the-wild exploit, and it cemented the CLFS exploitation playbook that ransomware operators would follow for years. Multiple threat actor groups exploited this vulnerability before the patch was available. The only prerequisites: the ability to write a file and call CreateLogFile.

The bug is a textbook example of the CLFS file format weakness. A single unchecked field, cbSymbolZone, pushes a derived offset outside the allocated buffer, and the kernel writes signature data to wherever that offset points.

Affected Functions

CClfsBaseFilePersisted
AddSymbol
cbSymbolZone

How cbSymbolZone Breaks the Buffer Boundary

The Common Log File System maintains a symbol table within BLF metadata blocks for tracking named log streams and containers. The cbSymbolZone field records the current size of the symbol zone within the base metadata block. When a user-mode application opens a BLF file via CreateLogFile, the CLFS driver parses the on-disk metadata and uses cbSymbolZone to compute derived offsets, including SignaturesOffset, which determines where CLFS writes integrity signature data within the metadata buffer.

Here is what goes wrong. An attacker crafts a BLF file where cbSymbolZone is set to a value larger than the actual metadata block allocation. The driver does not bounds-check cbSymbolZone against the container block size. The resulting SignaturesOffset calculation yields a pointer that falls outside the allocated buffer. When CLFS writes signature data at the computed offset, it performs an out-of-bounds write relative to the kernel pool allocation backing the metadata block.

AutoPiff categorizes this as bounds_check with detection rules:

added_index_bounds_check
added_struct_size_validation

From Pool Corruption to SYSTEM

The out-of-bounds write gives a controlled relative write primitive: the attacker controls the displacement via cbSymbolZone, and the data written is the CLFS signature bytes, which are partially predictable. Because the CLFS metadata allocation resides in the kernel paged pool, the write lands at a controlled offset from the start of that allocation.

Exploitation follows a pool feng shui strategy. The attacker sprays the paged pool with controlled objects, commonly pipe attributes, named pipe data entries, or similar allocations of a matching size class, positioning them adjacent to the CLFS metadata buffer. After triggering the OOB write via the crafted BLF file, the corrupted bytes overwrite the header or an embedded function pointer of a neighboring pool object. The attacker interacts with the corrupted object to convert the limited write into a broader read/write primitive. From there, token replacement (swapping the current process token with the SYSTEM token) completes the escalation.

Patch Analysis

The patch shipped in KB5017321 (build 10.0.22621.521) added bounds validation for cbSymbolZone and the derived offset fields within the CLFS base metadata parsing routines. The fix ensures that cbSymbolZone does not exceed the size of the metadata block allocation, and that any offset computed from it (including SignaturesOffset) falls within the allocated buffer before the driver writes to that location. Additional index bounds checks were introduced in the symbol table lookup and insertion paths.

AutoPiff detects these changes through the added_index_bounds_check and added_struct_size_validation rules, which flag the introduction of comparison instructions that gate write operations on the relationship between a field value and a container or buffer size.

Detection

YARA Rule

rule CVE_2022_37969_CLFS {
    meta:
        description = "Detects vulnerable version of clfs.sys (pre-patch)"
        cve = "CVE-2022-37969"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "clfs.sys" wide ascii nocase
        $blf_marker = { 42 4C 46 30 }
        $vuln_build = "10.0.22621.1" wide ascii
        $func_base_file = "CClfsBaseFilePersisted" ascii
        $func_add_symbol = "AddSymbol" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and ($blf_marker or $func_base_file or $func_add_symbol)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-CLFS	Log file open / container operations	Fires when `CreateLogFile` parses BLF metadata containing the corrupted `cbSymbolZone` value
Microsoft-Windows-CLFS	Symbol table insertion events	Detects AddSymbol operations on a BLF with manipulated symbol zone boundaries
Microsoft-Windows-Kernel-Audit	Token modification events	Detects the EPROCESS token swap that converts the exploit's pool corruption into SYSTEM privileges
Microsoft-Windows-Security-Auditing	Event ID 4672 (Special privileges assigned)	Low-privilege process gaining SeTcbPrivilege or SeDebugPrivilege after BLF file interaction
Microsoft-Windows-Security-Auditing	Event ID 4688 (Process creation)	Post-exploitation SYSTEM-level child process spawned from a previously unprivileged parent

Behavioral Indicators

A user-mode process creates or opens a .blf file via CreateLogFile where the on-disk cbSymbolZone value exceeds the actual metadata block size, causing SignaturesOffset to point outside the allocated buffer
Paged pool spray activity immediately preceding the CreateLogFile call, typically pipe attribute allocations (NtFsControlFile with FSCTL_PIPE_ASSIGN_EVENT) or named pipe data entries of a matching size class
Out-of-bounds write into an adjacent pool object header or embedded pointer, followed by interaction with that corrupted object
Suspicious .blf files appearing in user-writable directories with cbSymbolZone values inconsistent with the actual symbol table contents
Process token replacement at runtime: the attacking process acquires a SYSTEM token without legitimate elevation

Broader Significance

CVE-2022-37969 established the CLFS exploitation template that all subsequent CLFS ITW exploits follow: craft a BLF with a corrupted offset field, trigger parsing via CreateLogFile, use pool feng shui to position controlled objects adjacent to the metadata allocation, and convert the OOB write into a token swap. Every CLFS CVE since (CVE-2023-23376, CVE-2023-28252, CVE-2025-29824) follows this same playbook with variations in which offset field is corrupted. See the CLFS Deep Dive for the complete pattern analysis.