CVE-2025-32701
clfs.sys — use-after-free in log stream object allows SYSTEM escalation
Exploited in the Wild
Actively exploited zero-day. Linked to Storm-2460 ransomware deployment via PipeMagic. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | May 13, 2025 |
Root Cause
The CLFS driver does not properly manage memory references after freeing a CLFS log stream object. Specific log operations (CreateLogFile, AddLogContainer) can free internal structures prematurely while references remain active. The second consecutive month with a CLFS zero-day (following CVE-2025-29824 in April 2025).
Exploitation
Heap spraying reclaims the freed memory with attacker-controlled data. A corrupted pointer dereference then yields SYSTEM-level code execution. Object layouts in the CLFS log pool are predictable enough to bypass KASLR in some configurations.
Exploitation Primitive
CLFS log stream object freed prematurely
→ heap spray reclaim
→ corrupted pointer dereference → SYSTEM