CVE-2026-20820
clfs.sys -- heap-based buffer overflow in log file metadata processing, continuing the CLFS exploitation pattern
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 |
Context
By January 2026, CLFS had produced its eleventh CVE in the KernelSight corpus. The pattern at this point is unmistakable: the Common Log File System driver parses on-disk metadata structures with insufficient validation, and each patch cycle fixes one or two parsing paths while leaving others intact. Five of the previous ten CLFS CVEs were exploited in the wild, including the Nokoyawa ransomware zero-day CVE-2023-28252 and the Storm-2460 zero-day CVE-2025-29824.
CVE-2026-20820 follows the same heap overflow pattern that has defined CLFS exploitation since 2022. The consistency of this bug class in a single driver makes CLFS the single best example of how a complex on-disk format creates a persistent kernel attack surface.
Root Cause
A heap-based buffer overflow occurs during CLFS log file metadata processing. The driver reads structure sizes and offsets from the on-disk log file format and uses them to allocate kernel pool buffers and copy data. When these fields are inconsistent, the driver allocates a buffer based on one value and writes data based on another, overflowing the heap allocation and corrupting adjacent kernel pool objects.
This is structurally identical to CVE-2025-62470, CVE-2025-32713, CVE-2025-32706, and CVE-2024-49138. The difference is which specific metadata field and which parsing code path is involved.
Exploitation
The attacker creates a crafted CLFS log file (.BLF) with malformed metadata. The heap overflow corrupts adjacent kernel pool objects, which the attacker controls through pool spray techniques. The corrupted objects provide a kernel write primitive, which is used for token manipulation to achieve SYSTEM.
Exploitation Primitive
Crafted CLFS log file --> heap buffer overflow
--> adjacent object corruption --> SYSTEM
Broader Significance
CVE-2026-20820 represents the eleventh distinct CLFS vulnerability and the seventh heap overflow variant. At this point, the CLFS driver is not being fixed so much as being patched one code path at a time. The on-disk format contains dozens of interrelated fields, and the driver trusts all of them. Until the parsing architecture changes fundamentally, or until CLFS metadata is validated in a sandbox layer before kernel processing, new CVEs in this driver are essentially guaranteed.