CVE-2025-62470
clfs.sys -- heap-based buffer overflow in log file structure processing
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | December 9, 2025 |
Context
By December 2025, CLFS had accumulated ten CVEs in the KernelSight corpus, with five of them exploited in the wild. CVE-2025-62470 continues the pattern that began with CVE-2022-37969 and produced ITW zero-days like CVE-2023-28252 and CVE-2025-29824. The Common Log File System driver's on-disk metadata format is dense with embedded offsets, lengths, and structure pointers that the kernel trusts without sufficient validation. Each time Microsoft patches one offset check, nearby parsing paths with similar gaps remain.
Root Cause
A heap-based buffer overflow occurs when clfs.sys processes crafted log file structures. The driver allocates a kernel pool buffer based on one size field from the log file metadata, then copies or processes data using a different size field that exceeds the allocation. The mismatch writes past the end of the allocated buffer, corrupting adjacent kernel pool objects.
This is the same class of bug that has driven CLFS exploitation for years: the log file format contains multiple interrelated size and offset fields, and the driver does not consistently cross-validate them. A corrupted log file can pass initial validation checks while still containing inconsistencies that trigger overflows deeper in the parsing path.
Exploitation
The attacker creates a crafted CLFS log file (.BLF) with malformed metadata structures. When the CLFS driver processes this file (either through direct API calls or by triggering log operations on a mounted volume), the heap overflow corrupts adjacent kernel pool objects. Pool spraying places controlled objects in the adjacent slots, and the corruption builds an arbitrary write or read-write primitive. From there, standard token manipulation or callback overwrite techniques yield SYSTEM.
Exploitation Primitive
Crafted CLFS log file --> heap buffer overflow
--> adjacent object corruption --> SYSTEM
Broader Significance
CLFS is arguably the single most productive kernel attack surface of the 2022-2026 period. Twelve CVEs, five exploited ITW, and a consistent pattern of heap overflows from metadata parsing. The driver's continued vulnerability raises the question of whether incremental patching can ever secure a file format parser that was designed without adversarial input in mind.