A proof-of-concept (PoC) exploit has been publicly released for\u00a0CVE-2026-2636, a newly documented vulnerability in Windows\u2019 Common Log File System (CLFS) driver<\/a> that allows any low-privileged, unprivileged user to instantly crash a target system into an unrecoverable Blue Screen of Death (BSoD).<\/p>\n The vulnerability was discovered by Ricardo Narvaja of Fortra during CLFS-focused vulnerability research and has been classified as a Denial-of-Service (DoS) flaw with a CVSS base score of 5.5.<\/p>\n The vulnerability stems from improper flag validation within the\u00a0 When a specific sequence of Windows API calls is made, the CLFS driver processes an I\/O Request Packet (IRP) with critical flags in a disabled state, triggering a logic path that directly invokes\u00a0 The two key flags involved are:<\/p>\n For\u00a0 The internal flag value\u00a0 The BSoD crash chain is deterministic and begins from user-space with a standard\u00a0 The call originates from\u00a0 <\/a>\u200bThe PoC requires only\u00a0two API calls<\/strong>\u00a0and involves no crafted binary files or heap spray techniques. The attack sequence uses\u00a0 This call combination is inherently unexpected by the CLFS driver subsystem. Since\u00a0 The simplicity of this PoC lowers the exploitation barrier significantly, meaning even a script-kiddie-level threat actor could deploy it as a disruptive denial-of-service tool in enterprise Windows environments.<\/p>\n Ricardo Narvaja of Fortra added that<\/a> Microsoft\u00a0silently fixed\u00a0this vulnerability as part of the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025. Windows 25H2, released in September 2025, shipped with the fix already included. However,\u00a0Windows 11 23H2 and all earlier versions remain unpatched\u00a0and are currently vulnerable.<\/a>\u200b<\/p>\n This follows a pattern of recurring CLFS driver vulnerabilities that have plagued Windows for years, including CVE-2022-37969, CVE-2023-28252, CVE-2024-6768, and the actively ransomware-exploited CVE-2025-29824<\/a>, all rooted in the same CLFS.sys driver subsystem.<\/p>\n Organizations running unpatched Windows 11 23H2<\/a> or older builds should treat this as a high-priority patching action, particularly in environments where system availability is critical and local user access cannot be fully restricted.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post PoC Released for Windows Vulnerability That Allows Attackers to Cause Unrecoverable BSOD Crashes<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCLFS!CClfsRequest::ReadLogPagingIo<\/code>\u00a0function inside\u00a0CLFS.sys<\/code>\u00a0(tested on version 10.0.22621.5037).<\/p>\nnt!KeBugCheckEx<\/code>\u00a0Windows\u2019 kernel-level panic handler places the system in an irreversible crash state.<\/p>\n\n
ReadLogPagingIo<\/code>\u00a0to process a request correctly, at least one of these flags must be enabled. In the PoC scenario, both flags were disabled (AL =\u00a00x0<\/code>), causing the driver to follow an incorrect execution path.<\/p>\n0x42<\/code>\u00a0tested during research had no documented behavior from Microsoft, highlighting a gap in public kernel documentation.<\/p>\n![\"BSOD](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEifeswZqrqfKmjpGvtlififffLZTJ_S3-fwN07nArF1s_LjOkXCQrSM-IJs8Z_l1Hz6DWelFHkBgnTwhT1S7I7oxcXCbFEO8oUD-VZWv9gfXVp5f0Y2SYQeUGoaVAD-jl-cuqyubOJqHxlF7Jo69PSVZ5TS9BXWx4y__sbFw-EmUOuG-Bh_qtfhFg3nA2Bv\/s16000\/BSD%2520Crash.webp?ssl=1\")
ReadFile<\/code>\u00a0API call. The full kernel call stack captured during exploitation is:<\/p>\ntext
nt!DbgBreakPointWithStatus\nnt!KiBugCheckDebugBreak+0x12\nnt!KeBugCheck2+0xba3\nnt!KeBugCheckEx+0x107\nCLFS!CClfsRequest::ReadLogPagingIo+0xfc2f\nCLFS!CClfsRequest::Dispatch+0x9c\nCLFS!ClfsDispatchIoRequest+0x8e\nCLFS!CClfsDriver::LogIoDispatch+0x27\nnt!IofCallDriver+0x55\nnt!IopSynchronousServiceTail+0x46f\nnt!IopReadFile+0x4d4\nnt!NtReadFile+0xdb\n<\/code><\/pre>\nKERNELBASE!ReadFile<\/code>, which triggers\u00a0nt!NtReadFile<\/code>, escalating through the CLFS dispatch chain until the driver\u2019s inconsistent state invokes\u00a0KeBugCheckEx<\/code>. The entire chain is reproducible without elevated privileges, making this particularly dangerous in multi-user or shared enterprise environments.<\/p>\n![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjjxz2pKUm6SdIDbCfJQFE_efUUthWEG2qFLbwhDmWcGu5Nchp7PUOWrnwmnt9JRXh4zGzSYoBEo9qtpwBXRusVShk_zVyB3yNLFZqetHXHlnh8nbBZjM3REBYaxw9_27olTBXbjIJZ3kjCyIvNCYiNJTzWoZaRUABTFi0pZTHtGc_XjepZX18gt83Ci04\/s1600\/Screenshot%25202026-02-26%2520130623%2520%25281%2529.webp?ssl=1\")
CreateLogFile<\/code>\u00a0to obtain a valid\u00a0.blf<\/code>\u00a0log file handle, followed immediately by a\u00a0ReadFile<\/code>\u00a0call on that same handle.<\/a>\u200b<\/p>\n![\"meaning](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1vWl9PnpYN_Vwsevb80btUnNMSsDodxseP24vaiwRdP4jA8dSSc15SF-mdd6vD2vaDBEjCYmtYOI8KueEVDCykar2broitVzgfQFy6QRkQ9maS7D6f9yVGK2qGCQv1igoYM69mYB4ManUqap9zQn436QB7KJcaDdMWNCUEnvLpoTGRrx6YtYxxtFiI5g\/s1600\/Screenshot%25202026-02-26%2520131152%2520%25281%2529.webp?ssl=1\")
ReadFile<\/code>\u00a0is not designed to operate on CLFS log handles in this context, the driver fails to handle the request gracefully and instead cascades into a kernel panic.<\/p>\nMitigation Recommendations<\/strong><\/h2>\n
\n
ReadFile<\/code>\u00a0invocations against log file handles, which are not standard operational patterns.<\/li>\n