Security researchers have unveiled a working Proof of Concept (PoC) exploit for a vulnerability in the Windows kernel that allows low-privileged users to induce a Blue Screen of Death (BSoD), resulting in an immediate Denial of Service. This issue, identified as CVE-2026-2636, is linked to the Windows Common Log File System (CLFS) driver, specifically within the CLFS.sys component.
CLFS Driver Flaw: CVE-2026-2636
The CLFS driver plays a crucial role in Windows, enabling the maintenance of transactional logs in .blf files. This makes it a significant target when its reliability is compromised. The vulnerability was uncovered during research aimed at identifying potential Remote Code Execution (RCE) issues within CLFS. However, rather than facilitating code execution, the exploit consistently led to a hard crash state, forcing the operating system into an unrecoverable condition that necessitated a reboot.
According to an analysis by Core Security, the root of the vulnerability lies in the improper handling of invalid or special elements within CLFS, which corresponds to CWE-159 (Improper Handling of Special Elements). This flaw affects the driver’s processing of I/O requests directed at CLFS log files.
The PoC illustrates how a non-administrative user can trigger the bug by executing a crafted ReadFile operation on a handle linked to an opened .blf log file. Internally, CLFS expects specific flags in the I/O Request Packet (IRP), such as IRPPAGINGIO or IRPINPUTOPERATION, to be set during the read operation. These flags are essential for the driver to understand the nature of the I/O operation and to manage the data path securely.
In the PoC scenario:
- A handle to a
.blflog file is acquired by a low-privileged user. - A
ReadFilecall is made without the expected IRP flags being set. - CLFS internal routines operate under incorrect assumptions, leading to an unrecoverable state.
With the flags disabled, the driver encounters a critical inconsistency. To maintain overall OS integrity, Windows invokes the kernel routine KeBugCheckEx, which halts execution and triggers a BSoD. Core Security’s debugging indicates that a specific register (AL = 0x0) in the decision path directly leads to this bugcheck, underscoring the deterministic nature of the crash.
CVE-2026-2636 carries a CVSS score of 5.5 (Medium), yet its impact on availability is classified as high. Any authenticated user on an affected system, even without administrative rights, can reliably crash the host at will. This behavior poses a significant risk in shared environments, such as Virtual Desktop Infrastructure (VDI) farms or terminal servers, where operational disruptions can severely affect service level agreements (SLAs) and availability targets.
Key technical details include:
- CVE ID: CVE-2026-2636
- Vulnerability type: Denial of Service (BSoD)
- Component:
CLFS.sys(Common Log File System driver) - Root cause: CWE-159, improper handling of special/invalid elements
- Trigger:
ReadFilecall on a.blflog handle with missing IRP flags - Privileges required: Low/standard user
While the flaw does not directly facilitate data exfiltration or privilege escalation, its potential for repeated triggering can be weaponized for insider disruption, targeted downtime, or as a distraction during multi-stage attacks.
Microsoft addressed this vulnerability in the September 2025 cumulative update. Systems running Windows 11 2024 LTSC and Windows Server 2025 are protected by default, as they include the fix. However, older or unpatched builds, including Windows 11 23H2 and legacy Windows 10 deployments, remain vulnerable if the September 2025 security rollup has not been applied.
To mitigate risks, organizations are advised to:
- Verify the deployment of the September 2025 cumulative updates across all Windows 10 and 11 assets.
- Prioritize patching multi-user systems, RDS/VDI hosts, and critical servers where low-privileged accounts exist.
- Monitor for unusual spikes in BSoD events, which may indicate abuse of the published PoC.
Although CVE-2026-2636 is categorized as a Denial-of-Service flaw, the combination of publicly available exploit code, low privilege requirements, and guaranteed system crashes underscores the necessity for prompt patching to ensure service availability.
