Denial of Service in CLFS.sys

FR-2026-001 - Denial of Service in CLFS.sys

Severity
Medium
Published Date
25-Feb-2026
Updated Date
25-Feb-2026
Vulnerabilities
CVE-2026-2636
 
Notes
Description

This vulnerability is caused by CWE‑159: Improper Handling of Invalid Use of Special Elements, which leads to an unrecoverable inconsistency in the CLFS.sys driver. This condition forces a call to the KeBugCheckEx function, allowing an unprivileged user to trigger a system crash. Microsoft silently fixed this vulnerability in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025. Windows 25H2 (released in September) was released with the patch. Windows 1123h2 and earlier versions remain vulnerable.

 

Vulnerabilities

 
Denial of Service in CLFS.sys
Severity
Medium
CVE
CVE-2026-2636
CWE
CWE-159:Improper Handling of Invalid Use of Special Elements
Discovery Date
17-Jun-2025
CSSv3.1
5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Products
Vulnerability Notes
Details

Timeline

  • June 17, 2025 - Reported to Microsoft with a Proof-of-Concept exploit.
  • July 3, 2025 - Microsoft reported the issue was not a vulnerability and could not be reproduced on the latest WIP.
  • July 11, 2025 - Fortra reported that the WIP builds were tested and two of the four were found to be vulnerable.
  • July 15, 2025 - Microsoft confirmed the vulnerability but indicated that due to it being a local denial of service, it would not be backported.
  • July 16, 2025 - Fortra asked if a CVE had been assigned.
  • July 20, 2025 - Microsoft indicated that a CVE would not be assigned due to the low severity rating.
  • February 25, 2025 - CVE Publication.
 
References
 

Acknowledgements

Fortra would like to thank the following individuals:

  • Ricardo Narvaja