Microsoft has not yet released a patch for a new vulnerability, CVE-2024-6768, that can crash Windows 10 and 11 systems. The flaw is in the Windows CLFS.SYS driver, which handles the Common Log File System (CLFS). The issue comes from improper validation of input data, leading to a denial of service and the Blue Screen of Death (BSOD).

A proof of concept has shown that an unprivileged user can craft specific values in a .BLF file to crash the system. Cybersecurity firm Fortra discovered the vulnerability. They first reported it to Microsoft in December 2023.

However, Microsoft closed the case in February 2024, saying they could not reproduce the issue despite evidence from Fortra.

Unpatched Windows 10 bug persists

Fortra’s associate director of security research and development, Tyler Reguly, stated, “The potential problems include system instability and denial of service.

Malicious users can exploit this vulnerability to repeatedly crash affected systems, disrupting operations and potentially causing data loss.”

The vulnerability requires local access to exploit, so a threat actor would need physical access to the system. It is a particular concern for multi-user environments, where a malicious insider or low-privileged attacker could cause significant disruption. Organizations should be aware of this vulnerability, especially given Microsoft’s lack of action to patch it so far.

Reguly concluded, “The best-case scenario for this issue is that Microsoft sees the release and decides to deploy an update to resolve the vulnerability.”

Windows Defender has recently started identifying Fortra’s proof of concept as malware. However, there is little organizations can do to mitigate the issue until Microsoft releases a fix. The vulnerability persists in all recent Windows versions, even those fully updated.