CVE-2025-60709
clfs.sys -- out-of-bounds read in log file metadata processing
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Out-of-Bounds Read |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | November 11, 2025 |
Root Cause
The Common Log File System driver continues to generate vulnerability reports with metronomic regularity. CVE-2025-60709 is another instance of the fundamental CLFS problem: the driver parses user-writable Base Log Files (BLF) in kernel context and trusts offsets embedded in the file metadata.
In this case, the driver skips validation on offset fields when reading log file metadata from a BLF. When the attacker crafts a BLF with offset values that point beyond the bounds of the metadata buffer, the driver reads past the end of the allocation. This out-of-bounds read can leak kernel memory contents or, depending on the surrounding pool layout, access freed or uninitialized memory.
While OOB reads are typically classified as information disclosure, the CVSS score of 7.8 suggests that the read can be weaponized for more than just address leaks. In certain pool layouts, reading past the buffer boundary can return data that the driver subsequently uses as a pointer or size value, creating a secondary corruption primitive. This is the pattern seen in other CLFS bugs where a metadata read drives subsequent kernel operations.
Exploitation
The attacker creates a CLFS log file with metadata containing malformed offset values. When the driver processes this file, it reads beyond the metadata buffer's bounds. The OOB read returns kernel memory contents that may include:
- Kernel pointers that defeat KASLR
- Pool metadata that reveals heap layout
- Values that the driver uses in subsequent operations (size calculations, pointer arithmetic)
If the OOB read returns data used in downstream operations, the attacker can chain the information disclosure with a write primitive to achieve SYSTEM escalation. This depends on the specific code path and pool layout, but CLFS exploitation has well-established techniques for controlling both.
Exploitation Primitive
Crafted CLFS log file with malformed offsets -> clfs.sys OOB read
-> kernel memory disclosure / secondary corruption
-> KASLR bypass or write primitive -> SYSTEM
Broader Significance
CVE-2025-60709 is yet another entry in the growing CLFS vulnerability catalog tracked in KernelSight. The pattern is unmistakable: CLFS BLF files are user-writable artifacts parsed in ring 0, and every offset, size, and count field in the file format is a potential source of out-of-bounds access. Each vulnerability patched represents a specific field that lacked validation, but the architectural issue (trusting file-based metadata in kernel context) persists. This CVE adds to the case for Microsoft to consider a more fundamental redesign of how CLFS handles untrusted BLF files.