CISA has added CVE‑2023-36424 to its Known Exploited Vulnerabilities catalogue, affecting Microsoft Windows. The vulnerability, named Microsoft Windows Out-of-Bounds Read Vulnerability, resides in the Common Log File System Driver and could allow a threat actor to achieve privilege escalation.
The flaw is an out-of-bounds read condition that can be exploited locally to read memory beyond the intended buffer, potentially leading to the execution of arbitrary code with elevated privileges. It carries a CVSS v3.1 score of 7.8, rated HIGH, and a security update is available from Microsoft via the MSRC advisory.
Active exploitation has been confirmed, which is the basis for its inclusion in the KEV catalogue; there is no publicly known association with ransomware campaigns at this time. Federal agencies must apply the required mitigations by the CISA remediation deadline of 27 April 2026.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While this directive binds Federal Civilian Executive Branch agencies, all organisations should review their Windows environments for exposure and implement the available patch or mitigations as a precaution.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2023-36424 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalogue.