CVE-2024-30084
Cloud Files Mini Filter -- TOCTOU race condition
Summary
| Field | Value |
|---|---|
| Driver | cldflt.sys |
| Vulnerability Class | Race Condition / TOCTOU |
| Exploited ITW | No |
| CVSS | 7.0 |
Root Cause
A time-of-check-to-time-of-use race condition in the Windows Cloud Files Mini Filter driver (cldflt.sys). The driver validates a user-mode buffer or state, then uses it without holding a lock that prevents concurrent modification. A second thread can alter the validated data between the check and use.
This was used alongside CVE-2024-35250 by DEVCORE (Angelboy) at Pwn2Own Vancouver 2024 to compromise Windows 11. The race in cldflt.sys provided the initial primitive, which was chained with the kernel streaming bug for full exploitation.
Exploitation
The TOCTOU race provides a limited write primitive. In the Pwn2Own chain, this was combined with CVE-2024-35250 (a kernel streaming untrusted pointer dereference) to build a full kernel read/write primitive and achieve SYSTEM.
Patch Analysis
The fix adds synchronization around the check-then-use sequence in cldflt.sys, ensuring the validated state cannot change between validation and consumption.