criticalCISA KEVCVE-2023-36424

Microsoft Windows Out-of-Bounds Read Vulnerability

Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation

ProductWindows
CVSS7.8
EPSS0.12184
UpdatedJuly 9, 2026

Quick answer

Microsoft Windows should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • -
  • r2

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Treat CVE-2023-36424 as an actively exploited Windows Common Log File System Driver elevation-of-privilege risk. Microsoft and NVD describe it as a CLFS driver issue that can allow privilege escalation, and CISA KEV lists active exploitation. Because exploitation is local and useful after initial access, prioritize endpoints, servers, RDP-exposed systems, administrator workstations, and high-value Windows hosts. Apply the Microsoft Security Update Guide fix through the latest supported cumulative security update for each affected Windows branch, and retire unsupported systems that cannot receive the update.

  1. Inventory Windows clients and servers, including workstations, RDP hosts, jump boxes, domain controllers, application servers, and legacy Windows Server systems.
  2. Check each system against the Microsoft Security Update Guide entry for CVE-2023-36424 and its installed cumulative update level.
  3. Deploy the applicable Microsoft cumulative security update through Windows Update, WSUS, Microsoft Intune, SCCM, or the organization's approved patching workflow.
  4. Prioritize high-value systems and devices with internet-facing services, remote access exposure, privileged users, or recent malware alerts.
  5. Retire, isolate, or apply compensating controls for unsupported Windows versions that cannot receive the Microsoft security update.
  6. Review EDR, Windows event logs, service creation events, scheduled tasks, and privilege escalation alerts for suspicious activity around CLFS or unexpected SYSTEM-level processes.
  7. Rotate credentials and investigate lateral movement if exploitation or post-exploitation activity is suspected.
  8. Reboot systems where required and confirm patch installation completed successfully, not just downloaded.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm each Windows host shows the Microsoft security update or a later cumulative update that includes the CVE-2023-36424 fix.
  • Confirm WSUS, Intune, SCCM, Defender for Endpoint, or vulnerability management data no longer flags CVE-2023-36424 as missing.
  • Confirm no critical Windows security updates remain pending for the affected OS branch.
  • Review post-patch EDR and Windows logs for suspicious privilege escalation, unexpected SYSTEM processes, or new persistence mechanisms.
  • Run a Fixnx scan against public Windows-hosted services and management surfaces to verify external exposure is understood after remediation.

Related categories

Trusted references

FAQ

What is affected by CVE-2023-36424?

Microsoft Windows should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.