CVE-2023-23376
Common Log File System, out-of-bounds write via CLFS_CONTROL_RECORD manipulation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Out-of-Bounds Write |
| Exploited ITW | Yes |
| CVSS | 7.8 |
The Story
Discovered by MSTIC and MSRC as a zero-day, CVE-2023-23376 was likely chained with an RCE for ransomware delivery in the campaigns where it was observed. It represents another variation on the CLFS exploitation theme, but with a twist: this time the target is the CLFS_CONTROL_RECORD rather than the CLFS_BASE_RECORD_HEADER used in CVE-2022-37969 and CVE-2022-35803.
The root cause is nearly identical to its predecessors. The driver trusts offset fields in on-disk BLF metadata without bounds checking, and a crafted .blf file produces an out-of-bounds write when opened. The fact that this is the same bug class in a different structure, discovered in the wild after two previous CLFS CVEs were patched, illustrates the incremental patching problem: Microsoft fixes the specific structure that was exploited, but leaves the same pattern unaddressed in other structures within the same parser.
From Control Record to SYSTEM
The OOB write provides a relative write primitive in the kernel paged pool. Exploitation follows the standard CLFS pattern by this point well-established among ransomware operators: spray the paged pool to position controlled objects adjacent to the CLFS metadata allocation, trigger the OOB write via the crafted BLF, corrupt an adjacent object, and convert the corruption into a token swap for SYSTEM.
The likely chaining with an RCE suggests this was used as the local privilege escalation component in a complete kill chain, where the initial access came through a separate remote vulnerability and CVE-2023-23376 provided the escalation from a sandboxed or low-privilege context to SYSTEM.
Patch Analysis
The fix adds bounds validation on offset fields within CLFS_CONTROL_RECORD processing, checking that derived write targets fall within the allocated metadata buffer. This is the same class of fix applied to previous CLFS CVEs, extended to cover the control record structure.
Broader Significance
CVE-2023-23376 is the third CLFS zero-day exploited in the wild within a 12-month period (after CVE-2022-24521 and CVE-2022-37969), and it appeared just months before CVE-2023-28252, the fourth. The cadence of CLFS exploitation accelerated through 2022-2023, with ransomware operators treating CLFS as a renewable source of kernel escalation primitives. Each time Microsoft patched one structure, the same bug class was found and exploited in another structure within the same driver. See the CLFS Deep Dive for the complete timeline and pattern analysis.