CVE-2026-20857
cldflt.sys -- elevation of privilege in Cloud Files Mini Filter
Summary
| Field | Value |
|---|---|
| Driver | cldflt.sys |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 |
Context
The Cloud Files Mini Filter driver reached its eighth CVE in the KernelSight corpus with this January 2026 patch. The driver's history now spans heap overflows (CVE-2023-36036, CVE-2024-30085, CVE-2024-49114), a TOCTOU race condition (CVE-2025-55680), a use-after-free exploited in the wild (CVE-2025-62221), an out-of-bounds read (CVE-2025-62457), and multiple unclassified EoPs. The breadth of vulnerability classes found in a single mini-filter driver suggests fundamental issues with the driver's input validation architecture.
cldflt.sys processes cloud file placeholder operations, sync state management, and reparse data for OneDrive and other cloud storage providers. It is enabled by default on Windows 10 and 11 systems with cloud storage configured, giving it a massive installed base.
Root Cause
Microsoft's advisory does not disclose the specific mechanism. The cldflt.sys attack surface involves filter manager callbacks for create, cleanup, read, and write operations on cloud file placeholders. Each of these callbacks handles variable-length data structures containing embedded offsets, lengths, and type identifiers. The history of this driver shows that validation gaps in these structures have produced every major vulnerability class: buffer overflows, OOB reads, race conditions, and use-after-free bugs.
Exploitation
A local attacker crafts cloud file operations that reach the vulnerable code path. The exploitation primitive depends on the specific bug class, but the cldflt.sys pattern consistently yields kernel pool corruption that can be leveraged for token manipulation and SYSTEM escalation.
Exploitation Primitive
Crafted cloud file operation --> kernel vulnerability --> SYSTEM
Broader Significance
Eight CVEs in three years makes cldflt.sys one of the most prolific kernel attack surfaces in the Windows ecosystem, alongside CLFS and win32k. The driver's default-enabled status on consumer Windows installations means that cloud storage integration has quietly become a significant kernel security liability. Microsoft's approach of patching individual code paths has not stemmed the flow of new vulnerabilities, suggesting the driver would benefit from more comprehensive input validation refactoring or a sandboxing layer for placeholder data processing.