cldflt.sys information disclosure vulnerability (KB5034765 - KB5035853, Win 11).# CVE-2024-26160 (cldflt.sys information disclosure vulnerability)
There's small writeup about **CVE-2024-26160**, what can be found in the February patch (**KB5034765**, Windows 11 22H2, Windows 11 23H2). The vulnerability has been closed in the March patch (**KB5035853**).
## Analysis
The vulnerability is located in the `CldiPortProcessGetRangeInfo` function, it does **not** check for the buffer size passed from the user application. Since the size can be controlled by the user, `memmove`, which copies the returned information, can grab a neighboring memory pool that contains kernel addresses if the size is correctly passed.
The March patch (**KB5035853**) introduces an additional check for buffer size.
Under normal conditions, the vulnerable function is called when the `CfGetPlaceholderRangeInfoForHydration` function is called, it contains a fixed size for the returned buffer, so it is necessary to construct a data packet that will reach the vulnerable function call. The call of the required function passes through the `CldiPortNotifyMessage` function, where all packets, including some specific ones, must be validated.
It is important to pass the message type in order to trigger the leak.
If the data packet is properly formed, we will see address leakage.
[4.0K] /data/pocs/a61ec86b772426b32b2c705425af7f748290b29a
├── [1.7K] CVE-2024-26160.sln
├── [6.5K] CVE-2024-26160.vcxproj
├── [ 887] CVE-2024-26160.vcxproj.filters
├── [ 973] defs.h
├── [4.0K] img
│ ├── [9.4K] call.png
│ ├── [102K] leak.png
│ ├── [7.8K] no-check.png
│ ├── [ 14K] packet-7.png
│ ├── [ 16K] patch.png
│ └── [ 18K] vuln.png
├── [9.0K] main.cpp
└── [1.4K] README.md
1 directory, 12 files