TALOS-2026-2426
CVE-2026-58613
A use-after-free vulnerability exists in the CldiStreamCompleteRequest functionality of Windows Cloud Files Mini Filter Driver (version(s): 10.0.26100.8457 (WinBuild.160101.0800)). A specially crafted sequence of Cloud Filter API calls can lead to privilege escalation. An attacker can execute a dedicated application to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Windows Cloud Files Mini Filter Driver (version(s): 10.0.26100.8457 (WinBuild.160101.0800))
Windows Cloud Files Mini Filter Driver - https://www.microsoft.com/
8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-416 - Use After Free
The Cloud Files Mini-Filter Driver (cldflt.sys) is a Microsoft Windows kernel-mode filesystem driver that enables cloud storage integration features such as OneDrive Files On-Demand. It manages cloud-based placeholder files, synchronizes data between local storage and cloud services, and downloads files automatically when users access them. The driver operates within the Windows file system stack to make cloud files behave like regular local files.
The Cloud Files Mini-Filter Driver manages cloud placeholder files for sync engines (OneDrive, Dropbox, etc.) and handles on-demand file hydration. The driver maintains a system-wide global countdown timer list — a kernel-mode linked list that tracks all pending blocking requests sent to cloud sync providers. This watchdog mechanism ensures that if a provider becomes unresponsive, the file system does not hang indefinitely. Each request placed on this list is assigned a 60-second deadline.
The global timer list is used in several core scenarios:
File hydration, Directory population, Notification acknowledgement, and most importantly for this vulnerability:
Provider progress reporting: When a sync provider calls CfReportProviderProgress / CfReportProviderProgress2 to report incomplete hydration progress (e.g., “downloaded 297 KB of 1000 KB”), the driver creates an internal provider request on the timer list. This allows the system to track in-progress transfers and cancel them if the provider disappears.
After a request’s 60-second deadline expires, the driver’s internal timer DPC fires and a worker thread walks the global list, cancelling all expired requests. This walk can also be triggered manually using the undocumented CfQueryProgress API call (used by Windows Shell to display hydration progress bars in File Explorer).
A cloud sync provider calls CfReportProviderProgress or CfReportProviderProgress2 to report incomplete hydration progress on a placeholder file (e.g., completed=297 out of total=1000). Inside the kernel, this traverses:
User-mode: CfReportProviderProgress2(connKey, transferKey, reqKey, total=1000, completed=297, sessionId=0)
→ cldapi!CfReportProviderProgress2 → FilterSendMessage
→ cldflt!CldiPortNotifyMessage
→ CldiPortProcessTransfer
→ CldiPortProcessReportProgress
→ CldSyncReportProgress
→ CldStreamReportProgress
→ CldiStreamBuildProviderRequest
→ CldiStreamInsertIntoGlobalRequestListNoLock ← INSERT_GLOBAL
The request is created when progressCompleted < progressTotal and no existing provider request is pending on the stream. At this point, the request holds a reference to the HSM_STREAM_CONTEXT via pRequest->pStreamHandleCtx->pStreamCtx. The stream context’s FltMgr refcount is > 1 (the file on disk, the NTFS file object, and various FltMgr internals all contribute additional references).
The provider process terminates — without calling CfDisconnectSyncRoot or CfUnregisterSyncRoot.
Result: the request survives on the global timer list after the provider process is gone. It becomes an orphan — no user-mode provider will ever complete it, and no disconnect logic will clean it up. The only thing that will touch it is the 60-second timeout mechanism.
Note: CfUnregisterSyncRoot, if called from the same process, would drain the request from the global list with status STATUS_CLOUD_FILE_PROVIDER_TERMINATED (0xC000CF16). By terminating the process without calling it, this cleanup path is bypassed entirely.
Removing files and placeholders from the sync root directory (e.g., via rmdir /s /q) causes NTFS file close operations. Each file close traverses the NTFS → FltMgr cleanup path, which calls FltReleaseContext on cached stream context references. This erodes the HSM_STREAM_CONTEXT refcount, eventually leaving the orphaned timer-list request as the sole remaining reference (refcount == 1).
Approximately 60 seconds after the request was inserted (Step 1), its deadline expires. We trigger the timer walk by calling the undocumented CfQueryProgress API, which sends port command 0x4001 to \CLDMSGPORT. In the kernel, this enters:
CfQueryProgress
→ FilterSendMessage (port cmd 0x4001)
→ CldiPortProcessFilterControl
→ CldiPortProcessQueryProgress
→ CldStreamQueryProgress
→ CldiStreamRestartCountdownTimer
→ CldiStreamStartCountdownTimer(bCancelAll=0)
CldiStreamStartCountdownTimer walks the global request list and cancels all expired requests:
```c do { AcquireResourceExclusive(&Resource);
if (ListEmpty) break;
pRequest = HEAD of list;
deadline = pRequest->DeadlineTimestamp;
if (deadline > currentTime) // NOT expired
break; // re-arm timer for remaining time
// EXPIRED:
RemoveFromGlobalList(pRequest);
pRequest->RemovedFromGlobalList = 1;
ReleaseResource(&Resource);
if (pRequest->MasterRequest)
FltCancelIo(pRequest->MasterRequest->UserCbd); // CVE-2023-29361 path (IRP-based)
else
CldiStreamCancelSynchronousRequest(pRequest); // OUR vulnerability path (no IRP)
} while (1); ```
Our request has MasterRequest == NULL because it was created by CfReportProviderProgress2 (a provider-initiated operation with no associated user I/O request). This takes the CldiStreamCancelSynchronousRequest path, which eventually calls CldiStreamCompleteRequest.
When cldflt crashes we see the following state:
6: kd> kb
# RetAddr : Args to Child : Call Site
00 fffff807`7d540e8c : 00000000`00000000 00000000`00000000 ffffcb82`900f2a80 00000000`00000000 : cldflt!CldiStreamCompleteRequest+0x12f
01 fffff807`7d540a60 : 00000000`00000000 ffffcb82`900f2a80 ffffc80b`34feea68 ffffa685`a7a86f10 : cldflt!CldiStreamCompleteCanceledRequest+0x234
02 fffff807`7d534ec0 : 01dcec7b`5946f732 ffffcb82`900f2a80 00000000`00000002 00000000`00000100 : cldflt!CldiStreamCancelSynchronousRequest+0x68
03 fffff807`7d5376ee : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cldflt!CldiStreamStartCountdownTimer+0x150
04 fffff807`7d57cc0f : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000100 : cldflt!CldiStreamRestartCountdownTimer+0x66
05 fffff807`7d57b50c : 00000000`00000001 0000000e`dabfdf90 00000000`00001c20 ffffc80b`34feed68 : cldflt!CldStreamQueryProgress+0x168b
06 fffff807`7d57b209 : 00000000`00004001 00000000`00000000 00000001`00001c20 ffffcb82`90f6cf20 : cldflt!CldiPortProcessQueryProgress+0x2b4
07 fffff807`7d54af49 : 00000000`00004001 00000000`00000000 00000000`00000000 00000000`00000000 : cldflt!CldiPortProcessFilterControl+0x4d
08 fffff801`4f233622 : ffffcb82`90ee6ee0 0000000e`dabfde30 00000000`000000e0 0000000e`dabfddb0 : cldflt!CldiPortNotifyMessage+0xcc9
09 fffff801`4f27f632 : ffffa685`af8dad60 0000000e`dabfde30 ffffa685`af8dae30 fffff801`be5259c0 : FLTMGR!FltpFilterMessage+0x162
0a fffff801`4f23b9c3 : ffffa685`af8dad60 ffffc80b`34fef0d0 ffffa685`a05a4bf0 00000000`00000000 : FLTMGR!FltpMsgDispatch+0xf2
0b fffff801`bd96ccfb : ffffc80b`34fef008 00000000`00060000 ffffa685`b0624ac0 fffff801`bdf561b9 : FLTMGR!FltpDispatch+0x133
0c fffff801`bd96cc73 : ffffa685`b0624ac0 ffffa685`b0624ac0 00000020`00000000 00000000`00000000 : nt!IopfCallDriver+0x5b
0d fffff801`bdfdb3a5 : ffffa685`b0624ac0 ffffc80b`34fef0d0 ffffa685`a05a4bf0 00000000`00000000 : nt!IofCallDriver+0x13
0e fffff801`bdfda1ec : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000001 : nt!IopSynchronousServiceTail+0x1c5
0f fffff801`bdfd983e : 00000000`00000000 fffff801`bda3ce9f 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x99c
10 fffff801`bddcc558 : 00000000`00000000 00000000`00000000 0000000e`da776000 00000000`00000000 : nt!NtDeviceIoControlFile+0x5e
11 00007ffd`b8de1d84 : 00007ffd`aa833bc2 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
12 00007ffd`aa833bc2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0x14
13 00007ffd`aa8331a1 : 00000000`00000000 0000000e`dabfdf80 00000000`00000000 00000000`00000000 : FLTLIB!FilterpDeviceIoControl+0x13e
14 00007ffd`a4503434 : 00000000`00000000 00000000`00000000 0000000e`dabfde70 00000000`00000000 : FLTLIB!FilterSendMessage+0x31
15 00007ff7`9cb147fc : 00000000`00000000 00000000`00000000 ffffffff`ffffd8f0 00000000`00000000 : cldapi!CfQueryProgress+0x3f4
16 00000000`00000000 : 00000000`00000000 ffffffff`ffffd8f0 00000000`00000000 00000000`00000032 : poc+0x47fc
6: kd> r
rax=0000000000000036 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000034 rsi=ffffcb82900f2a80 rdi=0000000000000000
rip=fffff8077d58435b rsp=ffffc80b34fee920 rbp=ffffcb8290ebaf80
r8=0000000000000036 r9=0000000000000001 r10=fffff801bd91de80
r11=ffffa685abe1c430 r12=00000000c000cf1f r13=00270000000289b7
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040282
cldflt!CldiStreamCompleteRequest+0x12f:
fffff807`7d58435b 488b4500 mov rax,qword ptr [rbp] ss:0018:ffffcb82`90ebaf80=????????????????
To have a better picture let us take a glance on the most important parts of CldiStreamCompleteRequest:
C++
Line 1 void __fastcall CldiStreamCompleteRequest(
Line 2 HSM_STREAM_HANDLE_CONTEXT *pStreamHandleCtx,
Line 3 CLD_STREAM_REQUEST *pRequest,
Line 4 __int64 completionStatus,
Line 5 unsigned int cancelFlags)
Line 6 {
Line 7
Line 8 (...)
Line 9 if ( (unsigned int)Feature_H2E_WPA3SAE__private_IsEnabledDeviceUsage_1() ) //Code introduced in May update
Line 10 {
Line 11 CldiStreamDeleteRequest(pRequest); // <-- First FREE REQUEST ?!
Line 12 CldiStreamCdqRELEASE((PFLT_CALLBACK_DATA_QUEUE)(*((_QWORD *)pStreamHandleCtx->pStreamCtx + 1) + 144LL), v15);// UAF!!!
Line 13 }
Line 14 else
Line 15 {
Line 16 if ( !pRequest->TimeoutType )
Line 17 CldiStreamCdqRELEASE((PFLT_CALLBACK_DATA_QUEUE)(*((_QWORD *)pStreamHandleCtx->pStreamCtx + 1) + 144LL), v14);
Line 18 CldiStreamDeleteRequest(pRequest);
Line 19 }
We can see that in line 11 our request will be freed.
Let us remind that pRequest keeps the following fields in its structure :
pRequest->pStreamHandleCtx and pStreamHandleCtx->pStreamCtx
Inside CldiStreamDeleteRequest function, FltReleaseContext drops the stream context refcount. Since our orphaned request holds the last reference (refcount == 1 after Step 3), the refcount drops to zero. This synchronously triggers the FltMgr cleanup callback chain — on the same thread, in the same call stack:
CldiStreamDeleteRequest+0xC5: FltReleaseContext(pStreamCtx)
→ FltMgr: refcount → 0, invoke cleanup callback
→ HsmFltDeleteSTREAM_CONTEXT+0x1E
→ CldHsmDeleteStreamContext+0x1B
→ CldStreamClose+0x154: ExFreePoolWithTag(pCldStream, 'Clst') ← POOL BLOCK FREED
When execution returns to CldiStreamCompleteRequest, it attempts CldiStreamCdqRELEASE which dereferences pStreamHandleCtx->pStreamCtx — a pointer to the just-freed pool block.
We can verify the rbp value from the crash:
6: kd> !verifier 0x80 ffffcb82`90ebaf80
======================================================================
Pool block ffffcb8290ebaf80, Size 0000000000000080, Thread ffffa685ad7e7080
fffff801bda59700 nt!ExpFreePoolChecks+0x40
fffff801be282eca nt!ExFreePoolWithTag+0x165a
fffff801bdd2b8cc nt!DifExFreePoolWithTagWrapper+0xdc
fffff8077d5737b0 cldflt!CldStreamClose+0x160
fffff8077d57362b cldflt!CldHsmDeleteStreamContext+0x1b
fffff8077d57400e cldflt!HsmFltDeleteSTREAM_CONTEXT+0x1e
fffff8014f223c57 FLTMGR!FltReleaseContext+0x437
fffff8077d534ce1 cldflt!CldiStreamDeleteRequest+0xc5
fffff8077d58435b cldflt!CldiStreamCompleteRequest+0x12f
fffff8077d540e8c cldflt!CldiStreamCompleteCanceledRequest+0x234
fffff8077d540a60 cldflt!CldiStreamCancelSynchronousRequest+0x68
fffff8077d534ec0 cldflt!CldiStreamStartCountdownTimer+0x150
fffff8077d5376ee cldflt!CldiStreamRestartCountdownTimer+0x66
fffff8077d57cc0f cldflt!CldStreamQueryProgress+0x168b
fffff8077d57b50c cldflt!CldiPortProcessQueryProgress+0x2b4
fffff8077d57b209 cldflt!CldiPortProcessFilterControl+0x4d
fffff8077d54af49 cldflt!CldiPortNotifyMessage+0xcc9
fffff8014f233622 FLTMGR!FltpFilterMessage+0x162
fffff8014f27f632 FLTMGR!FltpMsgDispatch+0xf2
fffff8014f23b9c3 FLTMGR!FltpDispatch+0x133
fffff801bd96ccfb nt!IopfCallDriver+0x5b
fffff801bd96cc73 nt!IofCallDriver+0x13
fffff801bdfdb3a5 nt!IopSynchronousServiceTail+0x1c5
fffff801bdfda1ec nt!IopXxxControlFile+0x99c
fffff801bdfd983e nt!NtDeviceIoControlFile+0x5e
fffff801bddcc558 nt!KiSystemServiceCopyEnd+0x28
The poor object memory management handling has led to a potentially dangerous use-after-free vulnerability, which may consequently result in local privilege escalations.
``` 6: kd> !analyze -v *************************** * * * Bugcheck Analysis * * * ***************************
PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffcb8290ebaf80, memory referenced. Arg2: 0000000000000000, X64: bit 0 set if the fault was due to a not-present PTE. bit 1 is set if the fault was due to a write, clear if a read. bit 3 is set if the processor decided the fault was due to a corrupted PTE. bit 4 is set if the fault was due to attempted execute of a no-execute PTE. - ARM64: bit 1 is set if the fault was due to a write, clear if a read. bit 3 is set if the fault was due to attempted execute of a no-execute PTE. Arg3: fffff8077d58435b, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved)
** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2 ** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2 *** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2
KEY_VALUES_STRING: 1
Key : AV.PTE
Value: Invalid
Key : AV.Page.Virtual
Value: 0xffffcb8290eb0000
Key : AV.Type
Value: Read
Key : Analysis.CPU.mSec
Value: 3875
Key : Analysis.Elapsed.mSec
Value: 7253
Key : Analysis.IO.Other.Mb
Value: 2030
Key : Analysis.IO.Read.Mb
Value: 45
Key : Analysis.IO.Write.Mb
Value: 5291
Key : Analysis.Init.CPU.mSec
Value: 1395312
Key : Analysis.Memory.CommitPeak.Mb
Value: 633
Key : Analysis.Version.DbgEng
Value: 10.0.29547.1002
Key : Analysis.Version.Description
Value: 10.2602.27.2 amd64fre
Key : Analysis.Version.Ext
Value: 1.2602.27.2
Key : Bugcheck.Code.KiBugCheckData
Value: 0x50
Key : Bugcheck.Code.LegacyAPI
Value: 0x50
Key : Bugcheck.Code.TargetModel
Value: 0x50
Key : Failure.Bucket
Value: AV_VRF_cldflt!CldiStreamCompleteRequest
Key : Failure.Exception.IP.Address
Value: 0xfffff8077d58435b
Key : Failure.Exception.IP.Module
Value: cldflt
Key : Failure.Exception.IP.Offset
Value: 0x8435b
Key : Failure.Hash
Value: {61f2862e-d255-0a0b-0f7e-ddec7a333e8f}
Key : Faulting.IP.Type
Value: Paged
Key : Hypervisor.Enlightenments.ValueHex
Value: 0x6090ebf4
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 1
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 0
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 0
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 1
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 1
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 1
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 0
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 659693
Key : Hypervisor.Flags.ValueHex
Value: 0xa10ed
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 1
Key : Hypervisor.RootFlags.AccessStats
Value: 0
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 0
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 0
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0
Key : Hypervisor.RootFlags.MceEnlightened
Value: 0
Key : Hypervisor.RootFlags.Nested
Value: 0
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0
Key : Hypervisor.RootFlags.Value
Value: 0
Key : Hypervisor.RootFlags.ValueHex
Value: 0x0
Key : SecureKernel.HalpHvciEnabled
Value: 0
Key : WER.OS.Branch
Value: ge_release
Key : WER.OS.Version
Value: 10.0.26100.1
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffcb8290ebaf80
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8077d58435b
BUGCHECK_P4: 0
FAULTING_THREAD: ffffa685ad7e7080
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffcb8290ebaf80
READ_ADDRESS: ffffcb8290ebaf80 Special pool
PROCESS_NAME: poc.exe
IP_IN_PAGED_CODE: cldflt!CldiStreamCompleteRequest+12f fffff807`7d58435b 488b4500 mov rax,qword ptr [rbp]
STACK_TEXT:
*** WARNING: Unable to verify checksum for poc.exe
Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2
ffffc80b34fedcf8 fffff801bdcbfa92 : ffffc80b34fedd78 0000000000000001 0000000000000080 fffff801bddd2a01 : nt!DbgBreakPointWithStatus
ffffc80b34fedd00 fffff801bdcbefbe : 0000000000000003 ffffc80b34fede60 fffff801bddd2c90 ffffc80b34fee420 : nt!KiBugCheckDebugBreak+0x12
ffffc80b34fedd60 fffff801bdc08557 : 0000000000000000 fffff801bda1caf2 0000000000000003 0000000000000003 : nt!KeBugCheck2+0xb2e
ffffc80b34fee4f0 fffff801bda1e89d : 0000000000000050 ffffcb8290ebaf80 0000000000000000 ffffc80b34fee790 : nt!KeBugCheckEx+0x107
ffffc80b34fee530 fffff801bd953e96 : 0000000000000000 ffff800000000000 ffffcb8290ebaf80 0000007ffffffff8 : nt!MiSystemFault+0x78d
ffffc80b34fee620 fffff801bddc80cb : ffffcb8290ebaf80 ffffcb8290ebaf80 0000000000000000 ffffa685a3dad420 : nt!MmAccessFault+0x646
ffffc80b34fee790 fffff8077d58435b : 0000000000000000 ffffcb82900f2a80 0000000000000000 0000400100000001 : nt!KiPageFault+0x38b
ffffc80b34fee920 fffff8077d540e8c : 0000000000000000 0000000000000000 ffffcb82900f2a80 0000000000000000 : cldflt!CldiStreamCompleteRequest+0x12f
ffffc80b34fee9a0 fffff8077d540a60 : 0000000000000000 ffffcb82900f2a80 ffffc80b34feea68 ffffa685a7a86f10 : cldflt!CldiStreamCompleteCanceledRequest+0x234
ffffc80b34feea40 fffff8077d534ec0 : 01dcec7b5946f732 ffffcb82900f2a80 0000000000000002 0000000000000100 : cldflt!CldiStreamCancelSynchronousRequest+0x68
ffffc80b34feea70 fffff8077d5376ee : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : cldflt!CldiStreamStartCountdownTimer+0x150
ffffc80b34feeaa0 fffff8077d57cc0f : 0000000000000000 0000000000000000 0000000000000002 0000000000000100 : cldflt!CldiStreamRestartCountdownTimer+0x66
ffffc80b34feeae0 fffff8077d57b50c : 0000000000000001 0000000edabfdf90 0000000000001c20 ffffc80b34feed68 : cldflt!CldStreamQueryProgress+0x168b
ffffc80b34feecc0 fffff8077d57b209 : 0000000000004001 0000000000000000 0000000100001c20 ffffcb8290f6cf20 : cldflt!CldiPortProcessQueryProgress+0x2b4
ffffc80b34feed30 fffff8077d54af49 : 0000000000004001 0000000000000000 0000000000000000 0000000000000000 : cldflt!CldiPortProcessFilterControl+0x4d
ffffc80b34feed60 fffff8014f233622 : ffffcb8290ee6ee0 0000000edabfde30 00000000000000e0 0000000edabfddb0 : cldflt!CldiPortNotifyMessage+0xcc9
ffffc80b34feee70 fffff8014f27f632 : ffffa685af8dad60 0000000edabfde30 ffffa685af8dae30 fffff801be5259c0 : FLTMGR!FltpFilterMessage+0x162
ffffc80b34feeee0 fffff8014f23b9c3 : ffffa685af8dad60 ffffc80b34fef0d0 ffffa685a05a4bf0 0000000000000000 : FLTMGR!FltpMsgDispatch+0xf2
ffffc80b34feef50 fffff801bd96ccfb : ffffc80b34fef008 0000000000060000 ffffa685b0624ac0 fffff801bdf561b9 : FLTMGR!FltpDispatch+0x133
ffffc80b34feeff0 fffff801bd96cc73 : ffffa685b0624ac0 ffffa685b0624ac0 0000002000000000 0000000000000000 : nt!IopfCallDriver+0x5b
ffffc80b34fef030 fffff801bdfdb3a5 : ffffa685b0624ac0 ffffc80b34fef0d0 ffffa685a05a4bf0 0000000000000000 : nt!IofCallDriver+0x13
ffffc80b34fef060 fffff801bdfda1ec : 0000000000000000 0000000000000001 0000000000000001 0000000000000001 : nt!IopSynchronousServiceTail+0x1c5
ffffc80b34fef110 fffff801bdfd983e : 0000000000000000 fffff801bda3ce9f 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x99c
ffffc80b34fef380 fffff801bddcc558 : 0000000000000000 0000000000000000 0000000eda776000 0000000000000000 : nt!NtDeviceIoControlFile+0x5e
ffffc80b34fef3f0 00007ffdb8de1d84 : 00007ffdaa833bc2 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
0000000edabfdca8 00007ffdaa833bc2 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtDeviceIoControlFile+0x14
0000000edabfdcb0 00007ffdaa8331a1 : 0000000000000000 0000000edabfdf80 0000000000000000 0000000000000000 : FLTLIB!FilterpDeviceIoControl+0x13e
0000000edabfdd20 00007ffda4503434 : 0000000000000000 0000000000000000 0000000edabfde70 0000000000000000 : FLTLIB!FilterSendMessage+0x31
0000000edabfdd70 00007ff79cb147fc : 0000000000000000 0000000000000000 ffffffffffffd8f0 0000000000000000 : cldapi!CfQueryProgress+0x3f4
0000000edabfdf60 0000000000000000 : 0000000000000000 ffffffffffffd8f0 0000000000000000 0000000000000032 : poc+0x47fc
SYMBOL_NAME: cldflt!CldiStreamCompleteRequest+12f
MODULE_NAME: cldflt
IMAGE_NAME: cldflt.sys
STACK_COMMAND: .process /r /p 0xffffa685b001a080; .thread /r /p 0xffffa685ad7e7080 ; kb
BUCKET_ID_FUNC_OFFSET: 12f
FAILURE_BUCKET_ID: AV_VRF_cldflt!CldiStreamCompleteRequest
OS_VERSION: 10.0.26100.1
BUILDLAB_STR: ge_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {61f2862e-d255-0a0b-0f7e-ddec7a333e8f}
```
Vendor Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58613
2026-06-01 - Vendor Disclosure
2026-07-14 - Vendor Patch Release
2026-07-14 - Public Release
Marcin 'Icewall' Noga of Cisco Talos