CLFS Uncontained: Exploiting CLFS Without Touching The Log

This talk explores the exploitation of CVE-2025-29824, an use-after-free vulnerability due to a race condition in the Windows CLFS (Common Log File System) driver disclosed in April 2025. Unlike previous CLFS-related vulnerabilities, the adopted exploitation approach requires no manipulation of log file structures or tampering with CLFS containers. The presentation will walk through the vulnerability's root cause, discuss reliable triggering mechanisms in user space, and demonstrate how controlled object reuse leads to kernel-level privilege escalation. The talk concludes with guidance on detection strategies and discussion about potential forensic artifacts to monitor in real-world environments.