TALK: CLFS Uncontained: Exploiting CLFS Without Touching the Log

Marco Ortisi, Ben Dumas

ABSTRACT

This talk explores the exploitation of CVE-2025-29824, an use-after-free vulnerability due to a race condition in the Windows CLFS (Common Log File System) driver disclosed in April 2025. Unlike previous CLFS-related vulnerabilities, the adopted exploitation approach requires no manipulation of log file structures or tampering with CLFS containers. The presentation will walk through the vulnerability's root cause, discuss reliable triggering mechanisms in user space, and demonstrate how controlled object reuse leads to kernel-level privilege escalation. The talk concludes with guidance on detection strategies and discussion about potential forensic artifacts to monitor in real-world environments.

Marco Ortisi

Marco has been working in IT security professionally since 1999. After several roles in Italy and abroad—as a penetration tester, vulnerability researcher, team leader, and eventually red team manager—he went through a midlife crisis that led him to return to vulnerability research and analysis (especially 0days). He rediscovered the joy of reporting to no one but himself. Marco is a former speaker and trainer at Black Hat, BruCON, HackInBo, and many other conferences.

https://www.linkedin.com/in/marco-ortisi-a156037/

Ben Dumas

Ben comes from a diverse background encompassing program analysis, malware reverse engineering, and IoT vulnerability research, where he has conducted in-depth investigations of vulnerabilities in consumer devices including network routers, surveillance cameras, and point-of-sale systems.

Today, Ben continues to enjoy vulnerability research and analyzes actively exploited vulnerabilities across various technology stacks, from Windows kernel vulnerabilities to web application security flaws.

MORE FROM RINGZER0 COUNTERMEASURE25

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated