A high-severity out-of-bounds read in the Windows Common Log File System (CLFS) Driver lets a local, low-privileged attacker escalate to higher privileges on a broad range of Windows client and server builds.
What Is It
CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver, classified as an out-of-bounds read (CWE-125). Microsoft originally published the advisory on 2023-11-14, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-04-13, confirming active exploitation in the wild.
NVD scores the bug CVSS 3.1 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, local attack vector, low complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. Successful exploitation gives a threat actor higher privileges on the affected host.
Why It Matters
CLFS is a kernel-mode logging subsystem present in every supported Windows build, which makes it a recurring target for privilege-escalation chains used by ransomware operators and other intrusion actors. CISA's KEV listing confirms in-the-wild exploitation; known ransomware use is currently flagged as Unknown, but local EoP bugs in CLFS have historically been paired with initial-access vectors to reach SYSTEM. Federal civilian agencies were required to remediate by 2026-04-27 under BOD 22-01.
What's Vulnerable
Per the NVD CPE configuration, affected operating systems include:
- Windows 10 (1507, 1607, 1809, 21H2, 22H2) below their respective November 2023 patch builds
- Windows 11 21H2 (< 10.0.22000.2600), 22H2 (< 10.0.22621.2715), and 23H2 (< 10.0.22631.2715)
- Windows Server 2008 SP2 and 2008 R2 SP1
- Windows Server 2012 and 2012 R2
- Windows Server 2016 (< 10.0.14393.6452), 2019 (< 10.0.17763.5122), 2022 (< 10.0.20348.2091), and Server 2022 23H2 (< 10.0.25398.531)
Patch Status
Microsoft shipped fixes through the MSRC update guide for CVE-2023-36424. Apply the November 2023 cumulative updates (or later) that bring affected systems to the fixed build versions listed above. CISA's required action is to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.