PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs

Security researchers have published a working Proof of Concept (PoC) exploit for a Windows kernel vulnerability that lets low-privileged users force systems into an unrecoverable Blue Screen of Death (BSoD), causing immediate Denial of Service.

CLFS driver flaw: CVE-2026-2636

The issue, tracked as CVE-2026-2636, resides in the Windows Common Log File System

(CLFS) driver, implemented in CLFS.sys.

CLFS is a kernel component used by Windows and applications to maintain transactional logs in .blf files, making it a high-impact target when reliability is compromised.

The bug was discovered during research focused on identifying potential Remote Code Execution (RCE) issues in CLFS.

Instead of yielding code execution, changes to certain values in the exploit chain consistently pushed Windows into a hard crash state that the OS could not recover from without reboot.

According to Core Security’s analysis, the vulnerability is rooted in improper handling of invalid or special elements in CLFS, aligning with CWE-159 (Improper Handling of Special Elements).

This logic flaw directly affects how the driver processes I/O requests issued against CLFS log files.

The PoC demonstrates that a non-admin user can trigger the bug by performing a crafted ReadFile operation on a handle associated with an opened .blf log file.

Internally, CLFS expects certain flags in the I/O Request Packet (IRP), particularly IRP_PAGING_IO or IRP_INPUT_OPERATION, to be set when handling the read.

These flags inform the driver about the nature of the I/O operation and how to treat the data path safely.

In the PoC scenario:

• A handle to a .blf log file is obtained by a low-privileged user.
• A ReadFile The call is issued in such a way that the expected IRP flags are not set.
• CLFS internal routines proceed under incorrect assumptions and encounter an unrecoverable state.

With these flags disabled, the driver reaches a critical inconsistency. To preserve overall OS integrity, Windows invokes the kernel routine KeBugCheckEx, which immediately halts execution and displays a BSoD.

Core Security’s debugging shows that a specific register (AL = 0x0) in the decision path leads directly to this bugcheck, confirming the deterministic nature of the crash.

CVE-2026-2636 carries a CVSS score of 5.5 (Medium), but its availability impact is high. Any authenticated user on an affected system without administrative rights can reliably crash the host on demand.

In shared environments, VDI farms, or terminal servers, this behavior can severely disrupt operations, SLAs, and availability targets.

Key technical details:

• CVE ID: CVE-2026-2636
• Vulnerability type: Denial of Service (BSoD)
• Component: CLFS.sys (Common Log File System driver)
• Root cause: CWE-159, improper handling of special/invalid elements
• Trigger: ReadFile call on a .blf log handle with missing IRP flags
• Privileges required: Low/standard user

The flaw does not provide direct avenues for data exfiltration or privilege escalation, but repeated triggering can be weaponized for insider disruption, targeted downtime, or distraction during multi-stage attacks.

Microsoft quietly addressed this vulnerability in the September 2025 cumulative update. Systems running Windows 11 2024 LTSC and Windows Server 2025 are protected by default, as they include the fix.

However, older or unpatched builds, including Windows 11 23H2 and legacy Windows 10 deployments, remain exposed if the September 2025 security rollup has not been applied.

• Verify deployment of the September 2025 cumulative updates across all Windows 10 and 11 assets.
• Prioritize patching multi-user systems, RDS/VDI hosts, and critical servers where low-privileged accounts exist.
• Monitor for unusual spikes in BSoD events, which may indicate abuse of the published PoC.

While CVE-2026-2636 is “only” a Denial-of-Service flaw, the combination of public exploit code, low privilege requirements, and guaranteed system crashes makes prompt patching essential for maintaining service availability.

Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs appeared first on Cyber Security News.