CVE-2025-32701
clfs.sys -- use-after-free in log stream object allows SYSTEM escalation
Exploited in the Wild
Actively exploited zero-day. Linked to Storm-2460 ransomware deployment via PipeMagic. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | May 13, 2025 |
Root Cause
One month after CVE-2025-29824, CLFS was back in the zero-day spotlight. CVE-2025-32701 is a use-after-free in the CLFS driver's management of log stream objects, and it was actively exploited before the May 2025 patch.
The CLFS driver manages log stream objects that represent open log files. These objects have reference counts that track how many code paths are actively using them. The vulnerability surfaces when specific log operations, particularly CreateLogFile and AddLogContainer, cause internal structures to be freed prematurely while other references remain active. When a subsequent operation follows a stale reference to the freed object, it reads memory that may have been reallocated for a different purpose.
This is the second consecutive month with a CLFS zero-day, following April's CVE-2025-29824. The two bugs target different aspects of CLFS internals (container context offsets vs. log stream object lifetimes), but they share the same fundamental weakness: the CLFS subsystem's memory management is not robust against adversarial log file content.
Exploitation
The exploitation pattern builds on the CLFS techniques established in earlier CVEs. The attacker creates and manipulates CLFS log files to trigger the premature free of a log stream object. Before triggering the free, the attacker grooms the kernel pool to control what will be allocated in the freed region.
After the free fires, heap spraying reclaims the memory with attacker-controlled data. When the stale reference is followed, the kernel reads the attacker's forged object, which contains crafted pointers. The corrupted pointer dereference provides a primitive that leads to SYSTEM privilege escalation.
The pool layouts in the CLFS log region are predictable enough in some configurations to bypass KASLR without a separate information disclosure bug, though combining with an info-leak would make exploitation more reliable across different Windows builds.
Exploitation Primitive
CreateLogFile / AddLogContainer trigger premature stream object free
--> pool grooming places controlled data in freed region
--> stale reference follows forged object
--> corrupted pointer dereference --> SYSTEM
Broader Significance
CVE-2025-32701 marks the continuation of a multi-year pattern: CLFS has produced exploitable zero-days in 2022 (CVE-2022-37969), 2023 (CVE-2023-23376, CVE-2023-28252), 2024 (CVE-2024-49138), and now two in consecutive months in 2025. The driver's complex on-disk metadata format, combined with the fact that any user can create and manipulate log files, creates a persistent attack surface. Each patch fixes the specific validation gap that was exploited, but the structural issues, trusting on-disk metadata and complex object lifecycle management, remain. Until CLFS undergoes a comprehensive security overhaul, expect more entries in this series.