CVE-2023-36036

Cloud Files Mini Filter — heap overflow via crafted reparse data

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field	Value
Driver	`cldflt.sys`
Vulnerability Class	Buffer Overflow / Bounds Check
Vulnerable Build	`10.0.22621.2506` (KB5031455)
Fixed Build	`10.0.22621.2715` (KB5032190)
Exploited ITW	Yes

Affected Functions

HsmFltProcessReparse
HsmpRpReadBuffer
HsmpRpWriteBuffer

Root Cause

AutoPiff categorizes this as bounds_check with detection rules:

added_len_check_before_memcpy
added_bounds_check_on_offset

Exploitation

Patch Analysis

Detection

YARA Rule

rule CVE_2023_36036_CLDFLT {
    meta:
        description = "Detects vulnerable version of cldflt.sys (pre-patch)"
        cve = "CVE-2023-36036"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "cldflt.sys" wide ascii nocase
        $vuln_build = "10.0.22621.2506" wide ascii
        $reparse_func = "HsmFltProcessReparse" ascii
        $rp_read = "HsmpRpReadBuffer" ascii
        $rp_write = "HsmpRpWriteBuffer" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and any of ($reparse_func, $rp_read, $rp_write)
}

ETW Indicators

Provider	Event / Signal	Relevance
`Microsoft-Windows-CloudFiles`	Reparse point processing events	Monitors the Cloud Files mini-filter for crafted reparse data that triggers the heap overflow
`Microsoft-Windows-Kernel-Audit`	Token modification (Event ID 4672)	Captures privilege escalation following successful heap corruption
`Microsoft-Windows-Security-Auditing`	File system object access (Event ID 4663)	Detects access to files with crafted reparse points targeting the cldflt.sys mini-filter
`Microsoft-Windows-StorageSpaces-Driver`	Filter manager load/attach events	Monitors mini-filter attachment state changes that may indicate exploitation attempts

Behavioral Indicators

A process creates files with crafted reparse point data (FSCTL_SET_REPARSE_POINT) where the reparse buffer length fields are inconsistent with the actual data size, targeting the HsmFltProcessReparse code path
Heap overflow in the kernel non-paged pool triggered during HsmpRpReadBuffer or HsmpRpWriteBuffer when the driver copies reparse data without proper bounds validation
Pool spray activity using objects sized to align with the overflowed allocation, enabling controlled overwrite of adjacent pool metadata or object headers
Abnormal DeviceIoControl or NtFsControlFile calls issuing reparse-related FSCTLs from a process with no legitimate cloud sync activity
Post-exploitation token swap observed as a low-privilege process suddenly operating with SYSTEM-level access after triggering the overflow

References

MSRC Advisory