CVE-2022-24481

HIGH EXPLOITED IN THE WILD

Windows Common Log File System Driver - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2022-24481 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including fr4nkxixi, uname1able.

AI-analyzed exploit summary This is a proof-of-concept exploit for CVE-2022-24481, targeting a Windows kernel vulnerability. The code demonstrates privilege escalation by manipulating system handles and kernel objects.

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploits (3)

nomisec WORKING POC 14 stars

by fr4nkxixi · local

https://github.com/fr4nkxixi/CVE-2022-24481-POC

View Code ZIP pw:eip

This is a proof-of-concept exploit for CVE-2022-24481, targeting a Windows kernel vulnerability. The code demonstrates privilege escalation by manipulating system handles and kernel objects.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Kernel (specific version not specified)

No auth needed

Prerequisites: Windows system with vulnerable kernel · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by uname1able · local

https://github.com/uname1able/CVE-2022-24481

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2022-24481, a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. The PoC manipulates CLFS log files to achieve arbitrary kernel memory writes, leading to token replacement and elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows 10 21H2 (19044.1620) and Windows 11 21H2 (22000.593)

Auth required

Prerequisites: Local access to the target system · Ability to execute code with standard user privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 25, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/robotmd5/cve-2022-24481-poc

View Code ZIP pw:eip

The repository contains a functional exploit PoC for CVE-2022-24481, targeting a Windows kernel vulnerability. The code includes detailed structures and functions to manipulate system handles and processes, indicating a local privilege escalation (LPE) exploit.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Kernel (specific version not specified)

No auth needed

Prerequisites: Windows system with vulnerable kernel · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24481

Scores

CVSS v3 7.8

EPSS 0.2490

EPSS Percentile 96.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-08-20

InTheWild.io 2022-06-13

Status published

Products (19)

microsoft/windows_10

microsoft/windows_10 20h2

microsoft/windows_10 21h1

microsoft/windows_10 21h2

microsoft/windows_10 1607

microsoft/windows_10 1809

microsoft/windows_10 1909

microsoft/windows_11 (2 CPE variants)

microsoft/windows_7

microsoft/windows_8.1

... and 9 more

Published Apr 15, 2022

Tracked Since Feb 18, 2026