CVE-2022-37969

HIGH KEV RANSOMWARE

Windows Common Log File System Driver - Elevation of Privilege via Out-of-bounds Write

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-37969 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 14, 2022, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including fortra, EmilC3978, NoobCat2000.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2022-37969, a Windows Common Log File System Driver Local Privilege Escalation vulnerability. The code demonstrates the exploitation process, including kernel address resolution, token manipulation, and privilege escalation techniques.

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploits (6)

nomisec WORKING POC 136 stars
by fortra · local
https://github.com/fortra/CVE-2022-37969

This repository contains a functional exploit PoC for CVE-2022-37969, a Windows Common Log File System Driver Local Privilege Escalation vulnerability. The code demonstrates the exploitation process, including kernel address resolution, token manipulation, and privilege escalation techniques.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows Common Log File System Driver (CLFS.SYS) on Windows Server 2016/2019/2022 and Windows 10/11
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Administrative privileges to execute the exploit
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP 2 stars
by EmilC3978 · local
https://github.com/EmilC3978/CVE-2022-37969PoC

This repository provides a detailed technical writeup and proof-of-concept code for CVE-2022-37969, a local privilege escalation vulnerability in the Windows CLFS (Common Log File System Driver). It includes explanations of Windows internals, exploit development concepts, and reusable code snippets for educational purposes.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Windows CLFS (Common Log File System Driver)
Auth required
Prerequisites: Basic kernel debugging skills · Basic Reverse Engineering skills · Basic Windows internals knowledge · C/C++ programming skills
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by NoobCat2000 · local
https://github.com/NoobCat2000/CVE-2022-37969

This repository contains a functional exploit PoC for CVE-2022-37969, targeting a Windows kernel vulnerability. The code includes memory manipulation, handle enumeration, and CLFS (Common Log File System) exploitation techniques, suggesting a local privilege escalation (LPE) attack.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Kernel (CLFS component)
No auth needed
Prerequisites: Local access to the target system · Vulnerable Windows kernel version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by grass341 · poc
https://github.com/grass341/CVE-2022-37969

This repository contains a functional exploit for CVE-2022-37969, targeting a Windows CLFS (Common Log File System) vulnerability. The code demonstrates heap manipulation, memory allocation, and CLFS structure exploitation to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows CLFS (Common Log File System)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by nhh9905 · poc
https://github.com/nhh9905/CVE-2022-37969

This repository contains a functional exploit for CVE-2022-37969, a Windows kernel vulnerability. The exploit leverages heap spraying and arbitrary write primitives to achieve local privilege escalation (LPE) by manipulating pipe attributes and kernel structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows Kernel (CLFS and NPFS drivers)
No auth needed
Prerequisites: Windows system with vulnerable kernel drivers · Ability to execute arbitrary code at user level
devstral-2 · analyzed May 18, 2026 Full analysis →
nomisec WORKING POC
by uname1able · local
https://github.com/uname1able/CVE-2022-37969

This repository contains functional exploit code for CVE-2022-37969, a vulnerability in the Common Log File System (CLFS) driver. The PoC demonstrates memory corruption via crafted log files and token manipulation for local privilege escalation on Windows 10 and 11.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows CLFS Driver (Windows 10 21H2, Windows 11 21H2)
No auth needed
Prerequisites: Local access to the target system · Windows SDK and Visual Studio 2022 for compilation
devstral-2 · analyzed Feb 20, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.2848
EPSS Percentile 97.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-09-14
VulnCheck KEV 2022-09-13
InTheWild.io 2022-09-13
ENISA EUVD EUVD-2022-40576
Ransomware Use Confirmed
CWE
CWE-787
Status published
Products (17)
microsoft/windows_10_1507 < 10.0.10240.19444
microsoft/windows_10_1607 < 10.0.14393.5356
microsoft/windows_10_1809 < 10.0.17763.3406
microsoft/windows_10_20h2 < 10.0.19042.2006
microsoft/windows_10_21h1 < 10.0.19043.2006
microsoft/windows_10_21h2 < 10.0.19044.2006
microsoft/windows_11_21h2 < 10.0.22000.978
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
... and 7 more
Published Sep 13, 2022
KEV Added Sep 14, 2022
Tracked Since Feb 18, 2026