CVE-2026-2636
clfs.sys -- improper flag validation causes denial of service (BSoD), the twelfth CLFS CVE
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Denial of Service (Improper Validation) |
| CVSS | 6.2 |
| Exploited ITW | No (PoC public) |
| Patch Date | February 11, 2026 |
Context
Not every CLFS bug leads to SYSTEM. CVE-2026-2636 is a denial-of-service that crashes the kernel with a BSoD, without providing a code execution primitive. It is the twelfth CLFS CVE in the KernelSight corpus, and while it is less impactful than the heap overflow variants, it illustrates how deep the validation gaps in the CLFS log file format run.
The existence of a public PoC means any local user can crash the system on demand. In environments where system availability is critical (servers, production infrastructure), this makes the bug operationally significant despite the lower CVSS score.
Root Cause
The CLFS driver skips flag validation when processing log file metadata. A crafted log file can contain flag combinations that the driver's code was never designed to handle. When the driver encounters these invalid flag values during log file processing, it enters an inconsistent state that triggers an unrecoverable kernel panic (Bug Check / BSoD).
The bug is interesting from a research perspective because it shows that the CLFS validation gaps extend beyond size and offset fields to include flag and type fields. The driver's metadata parser broadly trusts the on-disk format without comprehensive consistency checking.
Exploitation
The attacker creates a crafted CLFS log file (.BLF) with invalid flag combinations. When the driver processes the file, it hits the invalid state and triggers a bug check. The crash is reliable and deterministic. This is DoS only; the crash does not provide a memory corruption primitive that could be leveraged for code execution.
A public PoC demonstrates the crash, making this bug trivially reproducible.
Exploitation Primitive
Crafted CLFS log file --> invalid flag validation
--> kernel panic (BSoD)
Broader Significance
CVE-2026-2636 is a datapoint in the CLFS story rather than a headline vulnerability. But it reinforces the core finding: the CLFS driver parses a complex on-disk format with insufficient validation at every level, from sizes and offsets to flags and type identifiers. The same architectural weakness that produces DoS bugs in flag validation produces code execution bugs in size validation. Until the parsing architecture is fundamentally redesigned, both categories will continue to appear.