CVE-2024-49138

HIGH KEV

Windows Common Log File System Driver - Elevation of Privilege via Heap-based Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-49138 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 10, 2024. EIP tracks 10 public exploits from researchers including Milad karimi, MrAle98, 1rhino2.

AI-analyzed exploit summary This exploit targets CVE-2024-49138, a privilege escalation vulnerability in Microsoft Windows 11 23H2's CLFS.sys driver. It manipulates kernel memory to elevate privileges by overwriting thread structures and token values.

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploits (10)

exploitdb WORKING POC
by Milad karimi · clocalwindows
https://www.exploit-db.com/exploits/52270

This exploit targets CVE-2024-49138, a privilege escalation vulnerability in Microsoft Windows 11 23H2's CLFS.sys driver. It manipulates kernel memory to elevate privileges by overwriting thread structures and token values.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 11 23H2
No auth needed
Prerequisites: Access to a vulnerable Windows 11 23H2 system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 266 stars
by MrAle98 · local
https://github.com/MrAle98/CVE-2024-49138-POC

The repository contains a functional exploit PoC for CVE-2024-49138, targeting a Windows kernel vulnerability. The code demonstrates kernel memory manipulation and privilege escalation techniques, including token swapping and arbitrary memory write operations.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows Kernel (specific version not specified)
No auth needed
Prerequisites: Windows system with vulnerable kernel · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 4 stars
by 1rhino2 · poc
https://github.com/1rhino2/SCRAPPED

The repository contains only a minimal README file with no exploit code or technical details. It appears to be a placeholder or scrapped project.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Zedocun · poc
https://github.com/Zedocun/soc-investigation-powershell-edrfreeze

This repository provides a detailed SOC investigation report on a PowerShell-based attack chain involving CVE-2024-49138, including IOCs, MITRE ATT&CK mapping, and a timeline of events. It documents the use of EDRFreeze for defense evasion but does not contain exploit code.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: N/A
No auth needed
Prerequisites: PowerShell execution · Network access to GitHub
devstral-2 · analyzed Mar 16, 2026 Full analysis →
nomisec WORKING POC
by vettrivel007 · local
https://github.com/vettrivel007/CVE-2024-49138

The repository contains a functional exploit PoC for CVE-2024-49138, targeting a Windows kernel vulnerability. The code demonstrates kernel memory manipulation and token privilege escalation techniques, indicating a local privilege escalation (LPE) exploit.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows Kernel
No auth needed
Prerequisites: Windows system with vulnerable kernel · Local access to the target system
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WRITEUP
by Bridg3Ops · poc
https://github.com/Bridg3Ops/SOC335-CVE-2024-49138-Exploitation-Detected

This repository provides a detailed technical analysis of a simulated security incident involving CVE-2024-49138, a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. It includes investigation steps, process analysis, network activity, and mitigation recommendations.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Common Log File System (CLFS) driver
No auth needed
Prerequisites: Access to a vulnerable Windows system with the CLFS driver · Ability to execute PowerShell scripts
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by onixgod · poc
https://github.com/onixgod/SOC335-Event-ID-313-CVE-2024-49138-Exploitation-Detected--Lest-Defend-Writeup

This repository provides a detailed technical analysis of an intrusion involving CVE-2024-49138, a CLFS privilege escalation vulnerability. It includes a timeline of the attack, evidence of exploitation, and indicators of compromise.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows CLFS driver
Auth required
Prerequisites: Access to a vulnerable Windows system · Valid credentials for initial access
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by CyprianAtsyor · poc
https://github.com/CyprianAtsyor/letsdefend-cve-2024-49138-investigation

This repository provides a detailed incident response investigation of CVE-2024-49138, a privilege escalation vulnerability in the Windows CLFS driver. It includes indicators of compromise, tool usage, and process analysis but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows CLFS driver
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute malicious binary
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by DeividasTerechovas · poc
https://github.com/DeividasTerechovas/SOC335-CVE-2024-49138-Exploitation-Detected

This repository documents an incident response case involving CVE-2024-49138, focusing on logon failures, malware detection, and containment efforts. It provides detailed analysis of commands, processes, and MITRE ATT&CK mappings but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows (specific version not specified)
Auth required
Prerequisites: Access to a compromised system · Administrative privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by bananoname · local
https://github.com/bananoname/CVE-2024-49138-POC

The repository contains a functional exploit PoC for CVE-2024-49138, targeting a Windows kernel vulnerability. The code includes kernel memory manipulation techniques, handle enumeration, and token privilege escalation logic, indicating a local privilege escalation (LPE) exploit.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows Kernel (specific version not specified)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.8
EPSS 0.8701
EPSS Percentile 99.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-12-10
VulnCheck KEV 2024-12-10
InTheWild.io 2024-12-10
ENISA EUVD EUVD-2024-43765
CWE
CWE-122
Status published
Products (40)
Microsoft/Windows 10 Version 1507 10.0.10240.0 - 10.0.10240.20857
Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.7606
Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.6659
Microsoft/Windows 10 Version 21H2 10.0.19043.0 - 10.0.19044.5247
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.5247
Microsoft/Windows 11 version 22H2 10.0.22621.0 - 10.0.22621.4602
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.4602
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.4602
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.2605
Microsoft/Windows Server 2008 Service Pack 2 6.0.6003.0 - 6.0.6003.23016
... and 30 more
Published Dec 12, 2024
KEV Added Dec 10, 2024
Tracked Since Feb 18, 2026