CVE-2025-62221
cldflt.sys -- use-after-free in Cloud Files Mini Filter allows SYSTEM escalation
Exploited in the Wild
Actively exploited zero-day. Broad impact across VDIs, workstations, and enterprise hosts.
Summary
| Field | Value |
|---|---|
| Driver | cldflt.sys (Cloud Files Mini Filter Driver) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | December 9, 2025 |
Root Cause
The Cloud Files Mini Filter driver (cldflt.sys) handles synchronization between local files and cloud storage providers like OneDrive and SharePoint. It intercepts file system operations to manage the hydration state of cloud-synced files: determining whether a file exists as a local copy or as a cloud placeholder that needs to be downloaded on access.
CVE-2025-62221 is the fourth cldflt.sys vulnerability cataloged in KernelSight, following CVE-2023-36036 (also exploited ITW), CVE-2024-30085, and CVE-2024-49114. The pattern across these vulnerabilities is consistent: the driver manages complex filter context objects whose lifetimes must be coordinated across concurrent file system operations, and gaps in that coordination produce use-after-free conditions.
In this instance, the driver mismanages object lifetimes during filter operations. A concurrent I/O path dereferences a filter context that has already been freed by another code path. The freed memory returns to the pool allocator, and the stale dereference hits whatever now occupies that memory region.
The vulnerability was actively exploited as a zero-day before the December 2025 patch. The broad attack surface, every Windows system with OneDrive or SharePoint configured uses cldflt.sys, made this particularly impactful in enterprise environments. VDI deployments, shared workstations, and domain-joined hosts with cloud file sync enabled were all exposed.
Exploitation
A local authenticated attacker triggers the UAF through crafted file operations that create the lifetime mismatch in the filter context. The attack is local (not remote), requiring an authenticated session on the target system.
Once the filter context is freed and the stale reference persists, the attacker sprays the kernel heap to reclaim the freed allocation with controlled data. The stale dereference operates on the attacker's data, corrupting kernel state. Standard exploitation techniques (controlled object placement, token manipulation) complete the chain to SYSTEM.
The in-the-wild exploitation was observed across enterprise environments where cloud file sync is ubiquitous. Multiple security vendors (CrowdStrike, Tenable, CSO Online) published analyses of the vulnerability and its impact during the December 2025 patch cycle.
Exploitation Primitive
Crafted file operations -> cldflt.sys filter context freed
-> concurrent I/O dereferences stale pointer -> UAF
-> heap reclaim -> kernel memory corruption -> SYSTEM
Broader Significance
Four cldflt.sys vulnerabilities in three years, two of them exploited in the wild (CVE-2023-36036 and CVE-2025-62221), establishes this driver as one of the most actively targeted kernel attack surfaces in the Windows ecosystem. The driver's presence on virtually every enterprise Windows system (OneDrive is bundled with Windows 10 and 11), combined with its kernel-mode processing of concurrent file operations, makes it a high-value target for both opportunistic and targeted attacks.
The recurring nature of the vulnerabilities, all related to object lifetime management across concurrent operations, suggests that the driver would benefit from architectural hardening of its internal reference counting and context lifecycle management. Point fixes for individual code paths have not been sufficient to address the underlying complexity of managing filter contexts across concurrent file system operations.