CVE-2024-49138
Common Log File System — heap overflow in LoadContainerQ allows EoP
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Buffer Overflow / Bounds Check |
| Vulnerable Build | 10.0.22621.4541 (KB5046617) |
| Fixed Build | 10.0.22621.4601 (KB5048685) |
| Exploited ITW | Yes |
Affected Functions
CClfsBaseFilePersisted::LoadContainerQLoadContainerQ
Root Cause
AutoPiff categorizes this as bounds_check with detection rules:
added_len_check_before_memcpyadded_index_bounds_check
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2024_49138_CLFS {
meta:
description = "Detects vulnerable version of clfs.sys (pre-patch)"
cve = "CVE-2024-49138"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "clfs.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.22621.4541" wide ascii
$blf_marker = { 42 4C 46 30 }
$func_load = "LoadContainerQ" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
rule CVE_2024_49138_BLF_Exploit {
meta:
description = "Detects crafted BLF file targeting LoadContainerQ heap overflow"
cve = "CVE-2024-49138"
author = "KernelSight"
severity = "high"
strings:
$blf_magic = { 42 4C 46 30 }
$overflow_pattern = { ?? ?? ?? ?? ?? ?? 00 00 FF FF FF 7F }
condition:
$blf_magic at 0 and $overflow_pattern in (0..4096)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-CLFS |
BLF file open/create events | Detects creation or opening of CLFS log files used as the attack entry point |
Microsoft-Windows-Kernel-Audit |
Token modification events | Captures privilege escalation via token swap after heap overflow exploitation |
Microsoft-Windows-Security-Auditing |
Event 4688 — Process creation | Identifies unexpected SYSTEM-level process creation following BLF manipulation |
Microsoft-Windows-Kernel-Process |
Process token changes | Detects the token pointer overwrite used to escalate from standard user to SYSTEM |
Behavioral Indicators
- An unprivileged process calling
CreateLogFileto open or create BLF log files with manipulated container descriptor arrays, triggering the heap overflow inLoadContainerQ - Heap overflow in NonPagedPoolNx during CLFS base file metadata loading, with the overflow size controlled by a crafted container index value exceeding the allocated container array bounds
- Pool spray activity using named pipe objects or pipe attributes immediately before BLF file operations, grooming the heap for reliable adjacent allocation control
- Rapid privilege escalation of a low-integrity process to SYSTEM without corresponding UAC prompt or service control manager interaction
- BLF files appearing in user-writable temp directories with abnormal container descriptor counts or offset values that exceed the base record allocation size