Critical Windows Vulnerability Allows Unprivileged Users to Trigger Unrecoverable BSOD Crashes
A newly discovered vulnerability in Windows’ Common Log File System (CLFS) driver, identified as CVE-2026-2636, enables unprivileged users to cause immediate and irrecoverable Blue Screen of Death (BSOD) crashes. This flaw, uncovered by Ricardo Narvaja of Fortra, has been classified as a Denial-of-Service (DoS) issue with a CVSS base score of 5.5.
Technical Details:
The vulnerability arises from improper flag validation within the `CLFS!CClfsRequest::ReadLogPagingIo` function in `CLFS.sys` (tested on version 10.0.22621.5037). By executing a specific sequence of Windows API calls, the CLFS driver processes an I/O Request Packet (IRP) with critical flags disabled, leading to a direct invocation of `nt!KeBugCheckEx`, the kernel-level panic handler. This results in an irreversible system crash.
The two key flags involved are:
– IRP_PAGING_IO (0x02): Indicates that the I/O request pertains to memory paging operations, such as accessing paging files or memory-mapped files.
– IRP_INPUT_OPERATION: Signifies that the I/O operation involves input data transfer, such as reading from a device or file.
For `ReadLogPagingIo` to function correctly, at least one of these flags must be enabled. In the proof-of-concept (PoC) scenario, both flags were disabled (AL = `0x0`), causing the driver to follow an incorrect execution path.
Exploitation Process:
The BSOD crash chain is deterministic and can be initiated from user-space with a standard `ReadFile` API call. The kernel call stack during exploitation is as follows:
1. `nt!DbgBreakPointWithStatus`
2. `nt!KiBugCheckDebugBreak+0x12`
3. `nt!KeBugCheck2+0xba3`
4. `nt!KeBugCheckEx+0x107`
5. `CLFS!CClfsRequest::ReadLogPagingIo+0xfc2f`
6. `CLFS!CClfsRequest::Dispatch+0x9c`
7. `CLFS!ClfsDispatchIoRequest+0x8e`
8. `CLFS!CClfsDriver::LogIoDispatch+0x27`
9. `nt!IofCallDriver+0x55`
10. `nt!IopSynchronousServiceTail+0x46f`
11. `nt!IopReadFile+0x4d4`
12. `nt!NtReadFile+0xdb`
The call originates from `KERNELBASE!ReadFile`, which triggers `nt!NtReadFile`, escalating through the CLFS dispatch chain until the driver’s inconsistent state invokes `KeBugCheckEx`. This entire chain is reproducible without elevated privileges, making it particularly dangerous in multi-user or shared enterprise environments.
Proof-of-Concept Details:
The PoC requires only two API calls and involves no crafted binary files or heap spray techniques. The attack sequence uses `CreateLogFile` to obtain a valid `.blf` log file handle, followed immediately by a `ReadFile` call on that same handle. This call combination is unexpected by the CLFS driver subsystem. Since `ReadFile` is not designed to operate on CLFS log handles in this context, the driver fails to handle the request gracefully and instead cascades into a kernel panic.
Implications:
The simplicity of this PoC lowers the exploitation barrier significantly, meaning even a novice threat actor could deploy it as a disruptive denial-of-service tool in enterprise Windows environments. The ability for an unprivileged user to cause an unrecoverable system crash poses a significant risk, especially in environments where system uptime is critical.
Mitigation and Recommendations:
Microsoft has addressed this vulnerability in the September 2025 cumulative update. Users and administrators are strongly advised to apply the latest security patches to mitigate this risk. Additionally, organizations should implement the following measures:
– Regular System Updates: Ensure that all systems are updated with the latest security patches to protect against known vulnerabilities.
– User Privilege Management: Limit user privileges to the minimum necessary to perform their job functions, reducing the potential impact of exploited vulnerabilities.
– Monitoring and Logging: Implement comprehensive monitoring and logging to detect unusual activities that may indicate exploitation attempts.
– Incident Response Planning: Develop and regularly update incident response plans to quickly address and mitigate the effects of security incidents.
Conclusion:
The discovery of CVE-2026-2636 highlights the ongoing challenges in securing complex operating system components like the CLFS driver. The availability of a simple yet effective PoC exploit underscores the importance of timely patching and vigilant security practices. Organizations must remain proactive in their cybersecurity efforts to protect against such vulnerabilities and ensure the stability and security of their systems.
