CVE-2021-43226

HIGH KEV RANSOMWARE

Windows Common Log File System Driver - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2021-43226 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 6, 2025, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Rosayxy.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2021-43226, a stack overflow vulnerability in the Common Log File System (CLFS) driver (clfs.sys) in Windows. The exploit leverages the GetLogFileInformation API with a manipulated buffer size to trigger the vulnerability.

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploits (1)

nomisec WORKING POC 2 stars

by Rosayxy · local

https://github.com/Rosayxy/cve-2021-43226PoC

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2021-43226, a stack overflow vulnerability in the Common Log File System (CLFS) driver (clfs.sys) in Windows. The exploit leverages the GetLogFileInformation API with a manipulated buffer size to trigger the vulnerability.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (clfs.sys)

No auth needed

Prerequisites: Windows environment with vulnerable clfs.sys driver · Ability to execute arbitrary code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43226

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43226

Scores

CVSS v3 7.8

EPSS 0.0307

EPSS Percentile 85.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-10-06

VulnCheck KEV 2022-06-13

InTheWild.io 2022-06-13

ENISA EUVD EUVD-2021-30170

Ransomware Use Confirmed

Status published

Products (21)

microsoft/windows_10_1507 < 10.0.10240.19145 (2 CPE variants)

microsoft/windows_10_1607 < 10.0.14393.4825 (2 CPE variants)

microsoft/windows_10_1809 < 10.0.17763.2366

microsoft/windows_10_1909 < 10.0.18363.1977

microsoft/windows_10_2004 < 10.0.19041.1415

microsoft/windows_10_20h2 < 10.0.19042.1415 (2 CPE variants)

microsoft/windows_10_21h1 < 10.0.19043.1415

microsoft/windows_10_21h2 < 10.0.19044.1415

microsoft/windows_11_21h2 < 10.0.22000.376

microsoft/windows_7

... and 11 more

Published Dec 15, 2021

KEV Added Oct 06, 2025

Tracked Since Feb 18, 2026