CVE-2025-62454
cldflt.sys -- elevation of privilege in Cloud Files Mini Filter
Summary
| Field | Value |
|---|---|
| Driver | cldflt.sys |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | December 9, 2025 |
Context
CVE-2025-62454 is one of three cldflt.sys vulnerabilities patched in the December 2025 Patch Tuesday cycle, alongside CVE-2025-62457 (OOB read) and a prior batch. The Cloud Files Mini Filter driver has become a recurring source of kernel bugs since CVE-2023-36036 proved it could be exploited in the wild. Microsoft has patched eight distinct cldflt.sys CVEs in the KernelSight corpus, spanning heap overflows, race conditions, use-after-frees, and now this EoP.
What makes cldflt.sys interesting as an attack surface is its reachability. The driver processes cloud file placeholder operations, reparse data, and sync callbacks for OneDrive and other cloud storage providers. These operations are triggered from user mode without elevated privileges, providing a low-barrier path into kernel-mode code that handles complex, variable-length data structures.
Root Cause
Microsoft's advisory does not disclose the specific root cause beyond confirming an elevation of privilege. Based on the pattern of cldflt.sys vulnerabilities in this corpus, the likely mechanism involves insufficient validation during cloud file placeholder or reparse data processing. The driver's history shows repeated issues with bounds checking on variable-length structures passed through filter manager callbacks.
Exploitation
A local attacker crafts cloud file operations that reach the vulnerable code path in cldflt.sys. The exact primitive is not publicly documented, but the cldflt.sys exploitation pattern consistently involves corrupting kernel pool objects adjacent to the driver's allocations, then leveraging the corruption for token manipulation or arbitrary write.
Exploitation Primitive
Crafted cloud file operation --> kernel vulnerability --> SYSTEM
Broader Significance
This CVE is part of a pattern where cloud storage integration drivers become persistent kernel attack surfaces. The cldflt.sys driver ships enabled by default on Windows 10 and 11 systems with OneDrive, meaning the attack surface is present on hundreds of millions of machines. Eight CVEs in three years suggests structural complexity in the driver's parsing logic that incremental patching has not fully addressed.