CVE-2025-32706
clfs.sys -- heap-based buffer overflow from improper input validation
Exploited in the Wild
Actively exploited zero-day. Patched alongside CVE-2025-32701 in the same cycle.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | May 13, 2025 |
Root Cause
May 2025 brought not one but two CLFS zero-days in the same Patch Tuesday. While CVE-2025-32701 targeted log stream object lifetimes, CVE-2025-32706 takes a different approach: a heap buffer overflow caused by missing input validation in the CLFS log file metadata parser.
The CLFS driver parses Base Log File (BLF) metadata structures when opening and processing log files. CVE-2025-32706 exploits a code path where the driver trusts a size or count field from the on-disk metadata without validating it against the allocated buffer capacity. When the on-disk value exceeds the buffer size, the subsequent processing writes beyond the buffer boundary, overflowing into adjacent kernel heap objects.
This continues a CLFS exploitation pattern that stretches back years. CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, CVE-2024-49138, CVE-2025-29824, CVE-2025-32701, and now CVE-2025-32706, all share the same theme: the CLFS on-disk format contains fields that are used in memory operations without bounds checking, and attackers keep finding new instances of this pattern.
Exploitation
The attacker crafts a BLF log file with metadata fields designed to trigger the heap overflow. When the CLFS driver processes this file, the unvalidated field causes a buffer overwrite in the kernel pool. Adjacent kernel objects are corrupted.
The standard CLFS exploitation chain then applies: pool spray to control adjacency, the overflow to corrupt a predictable object (often a named pipe attribute), and the corrupted object to build read/write primitives. Token manipulation completes the escalation to SYSTEM.
Exploitation Primitive
Crafted BLF file with oversized metadata fields
--> CLFS driver processes metadata without bounds check
--> heap buffer overflow in kernel pool
--> adjacent object corruption --> kernel R/W primitive --> SYSTEM
Broader Significance
Two CLFS zero-days in the same patch cycle, three in two months (counting April's CVE-2025-29824), cements CLFS as the single most prolific source of Windows EoP zero-days in 2025. The pattern is clear and repeating: each patch fixes the specific validation gap that was exploited, but the underlying architecture, an on-disk format with many trusted fields and a parser that processes them without comprehensive bounds checking, continues to produce new variants. For defenders, any system that has not applied the May 2025 CLFS patches is running with a known exploitable EoP vector that has been weaponized in ransomware campaigns.