TALK: CLFS Uncontained: Exploiting CLFS Without Touching the Log
Marco Ortisi, Ben Dumas
ABSTRACT
This talk explores the exploitation of CVE-2025-29824, an use-after-free vulnerability due to a race condition in the Windows CLFS (Common Log File System) driver disclosed in April 2025. Unlike previous CLFS-related vulnerabilities, the adopted exploitation approach requires no manipulation of log file structures or tampering with CLFS containers. The presentation will walk through the vulnerability's root cause, discuss reliable triggering mechanisms in user space, and demonstrate how controlled object reuse leads to kernel-level privilege escalation. The talk concludes with guidance on detection strategies and discussion about potential forensic artifacts to monitor in real-world environments.
Marco Ortisi
Marco has been working in IT security professionally since 1999. After several roles in Italy and abroad—as a penetration tester, vulnerability researcher, team leader, and eventually red team manager—he went through a midlife crisis that led him to return to vulnerability research and analysis (especially 0days). He rediscovered the joy of reporting to no one but himself. Marco is a former speaker and trainer at Black Hat, BruCON, HackInBo, and many other conferences.
https://www.linkedin.com/in/marco-ortisi-a156037/
Ben Dumas
Ben comes from a diverse background encompassing program analysis, malware reverse engineering, and IoT vulnerability research, where he has conducted in-depth investigations of vulnerabilities in consumer devices including network routers, surveillance cameras, and point-of-sale systems.
Today, Ben continues to enjoy vulnerability research and analyzes actively exploited vulnerabilities across various technology stacks, from Windows kernel vulnerabilities to web application security flaws.
