The issue, tracked as CVE-2026-2636, resides in the Windows Common Log File System
CLFS.sys. CLFS is a kernel component used by Windows and applications to maintain transactional logs in .blf files, making it a high-impact target when reliability is compromised.
The bug was discovered during research focused on identifying potential Remote Code Execution (RCE) issues in CLFS.
Instead of yielding code execution, changes to certain values in the exploit chain consistently pushed Windows into a hard crash state that the OS could not recover from without reboot.
According to Core Security’s analysis, the vulnerability is rooted in improper handling of invalid or special elements in CLFS, aligning with CWE-159 (Improper Handling of Special Elements).
This logic flaw directly affects how the driver processes I/O requests issued against CLFS log files.
The PoC demonstrates that a non-admin user can trigger the bug by performing a crafted ReadFile operation on a handle associated with an opened .blf log file.
Internally, CLFS expects certain flags in the I/O Request Packet (IRP), particularly IRP_PAGING_IO or IRP_INPUT_OPERATION, to be set when handling the read.
These flags inform the driver about the nature of the I/O operation and how to treat the data path safely.
In the PoC scenario:
.blf log file is obtained by a low-privileged user.ReadFile The call is issued in such a way that the expected IRP flags are not set.With these flags disabled, the driver reaches a critical inconsistency. To preserve overall OS integrity, Windows invokes the kernel routine KeBugCheckEx, which immediately halts execution and displays a BSoD.
Core Security’s debugging shows that a specific register (AL = 0x0) in the decision path leads directly to this bugcheck, confirming the deterministic nature of the crash.
CVE-2026-2636 carries a CVSS score of 5.5 (Medium), but its availability impact is high. Any authenticated user on an affected system without administrative rights can reliably crash the host on demand.
In shared environments, VDI farms, or terminal servers, this behavior can severely disrupt operations, SLAs, and availability targets.
Key technical details:
CLFS.sys (Common Log File System driver)ReadFile call on a .blf log handle with missing IRP flagsThe flaw does not provide direct avenues for data exfiltration or privilege escalation, but repeated triggering can be weaponized for insider disruption, targeted downtime, or distraction during multi-stage attacks.
Microsoft quietly addressed this vulnerability in the September 2025 cumulative update. Systems running Windows 11 2024 LTSC and Windows Server 2025 are protected by default, as they include the fix.
However, older or unpatched builds, including Windows 11 23H2 and legacy Windows 10 deployments, remain exposed if the September 2025 security rollup has not been applied.
While CVE-2026-2636 is “only” a Denial-of-Service flaw, the combination of public exploit code, low privilege requirements, and guaranteed system crashes makes prompt patching essential for maintaining service availability.
Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs appeared first on Cyber Security News.
A vanilla JavaScript image viewer library that brings a great 360º viewing experience to your…
Say goodbye to rigid, static HTML tables. The Active Table web component delivers a customizable,…
Wireshark, the popular open-source network protocol analyzer, has rolled out version 4.6.4, patching critical security…
Marquis Software Solutions, a Texas-based fintech provider for banks and credit unions, filed a lawsuit…
A newly documented Android spyware called ResidentBat has been linked to the Belarusian KGB, giving state operators…
A newly discovered Android Remote Access Trojan (RAT) named Oblivion is raising serious concerns across…
This website uses cookies.