CVE-2025-62457
cldflt.sys -- out-of-bounds read in Cloud Files Mini Filter reparse data handling
Summary
| Field | Value |
|---|---|
| Driver | cldflt.sys |
| Vulnerability Class | Out-of-Bounds Read |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | December 9, 2025 |
Context
Out-of-bounds reads in kernel drivers are often treated as low-severity information disclosures, but CVE-2025-62457 carries a 7.8 CVSS score because the OOB read in cldflt.sys can be leveraged for privilege escalation. This is the same driver that produced the ITW-exploited CVE-2023-36036 (heap overflow via crafted reparse data) and CVE-2025-62221 (use-after-free). The reparse data parsing surface in cldflt.sys has been a reliable source of memory safety issues.
Root Cause
The Cloud Files Mini Filter driver skips buffer boundary checks when processing reparse data associated with cloud file placeholders. When the driver parses a reparse data buffer, it reads past the end of the allocated region because it trusts an embedded length or offset field without validating it against the actual buffer size.
The OOB read leaks kernel pool contents. Depending on what data sits adjacent to the buffer in the kernel pool, this can expose kernel addresses (defeating KASLR), token pointers, or other sensitive structures. More importantly, in some configurations the OOB read can cause memory corruption if the read feeds into a subsequent write operation or size calculation.
Exploitation
An attacker crafts reparse data that triggers the OOB read. The leaked kernel data serves as either a standalone information disclosure or, more practically, as the KASLR-bypass step in a multi-bug chain. When paired with a write primitive from another cldflt.sys bug or a different driver, the leaked kernel base address completes the exploitation chain to SYSTEM.
Exploitation Primitive
Crafted reparse data --> OOB read
--> information disclosure / corruption --> SYSTEM
Broader Significance
The repeated appearance of reparse data parsing bugs in cldflt.sys points to a structural issue. Reparse data is a variable-length, user-influenced structure that the driver must parse in kernel mode. Each time Microsoft patches one parsing path, adjacent code paths with similar validation gaps survive to the next cycle. This CVE, landing alongside CVE-2025-62454 in the same patch, illustrates how a single driver component can harbor multiple distinct vulnerabilities simultaneously.