Talos Vulnerability Report

TALOS-2026-2426

Microsoft Windows Cloud Files Mini Filter Driver CldiStreamCompleteRequest use-after-free vulnerability

July 15, 2026

CVE Number

CVE-2026-58613

Summary

A use-after-free vulnerability exists in the CldiStreamCompleteRequest functionality of Windows Cloud Files Mini Filter Driver (version(s): 10.0.26100.8457 (WinBuild.160101.0800)). A specially crafted sequence of Cloud Filter API calls can lead to privilege escalation. An attacker can execute a dedicated application to trigger this vulnerability.

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Windows Cloud Files Mini Filter Driver (version(s): 10.0.26100.8457 (WinBuild.160101.0800))

Product URLs

Windows Cloud Files Mini Filter Driver - https://www.microsoft.com/

CVSSv3 Score

8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Details

The Cloud Files Mini-Filter Driver (cldflt.sys) is a Microsoft Windows kernel-mode filesystem driver that enables cloud storage integration features such as OneDrive Files On-Demand. It manages cloud-based placeholder files, synchronizes data between local storage and cloud services, and downloads files automatically when users access them. The driver operates within the Windows file system stack to make cloud files behave like regular local files.

Background: Global Countdown Timer List

The Cloud Files Mini-Filter Driver manages cloud placeholder files for sync engines (OneDrive, Dropbox, etc.) and handles on-demand file hydration. The driver maintains a system-wide global countdown timer list — a kernel-mode linked list that tracks all pending blocking requests sent to cloud sync providers. This watchdog mechanism ensures that if a provider becomes unresponsive, the file system does not hang indefinitely. Each request placed on this list is assigned a 60-second deadline.

The global timer list is used in several core scenarios:

File hydration, Directory population, Notification acknowledgement, and most importantly for this vulnerability:

Provider progress reporting: When a sync provider calls CfReportProviderProgress / CfReportProviderProgress2 to report incomplete hydration progress (e.g., “downloaded 297 KB of 1000 KB”), the driver creates an internal provider request on the timer list. This allows the system to track in-progress transfers and cancel them if the provider disappears.

After a request’s 60-second deadline expires, the driver’s internal timer DPC fires and a worker thread walks the global list, cancelling all expired requests. This walk can also be triggered manually using the undocumented CfQueryProgress API call (used by Windows Shell to display hydration progress bars in File Explorer).

Vulnerability Trigger

Step 1: Adding a request to the global timer list

A cloud sync provider calls CfReportProviderProgress or CfReportProviderProgress2 to report incomplete hydration progress on a placeholder file (e.g., completed=297 out of total=1000). Inside the kernel, this traverses:

User-mode: CfReportProviderProgress2(connKey, transferKey, reqKey, total=1000, completed=297, sessionId=0) → cldapi!CfReportProviderProgress2 → FilterSendMessage → cldflt!CldiPortNotifyMessage → CldiPortProcessTransfer → CldiPortProcessReportProgress → CldSyncReportProgress → CldStreamReportProgress → CldiStreamBuildProviderRequest → CldiStreamInsertIntoGlobalRequestListNoLock ← INSERT_GLOBAL

The request is created when progressCompleted < progressTotal and no existing provider request is pending on the stream. At this point, the request holds a reference to the HSM_STREAM_CONTEXT via pRequest->pStreamHandleCtx->pStreamCtx. The stream context’s FltMgr refcount is > 1 (the file on disk, the NTFS file object, and various FltMgr internals all contribute additional references).

Step 2: Orphaning the request via process termination

The provider process terminates — without calling CfDisconnectSyncRoot or CfUnregisterSyncRoot. Result: the request survives on the global timer list after the provider process is gone. It becomes an orphan — no user-mode provider will ever complete it, and no disconnect logic will clean it up. The only thing that will touch it is the 60-second timeout mechanism. Note: CfUnregisterSyncRoot, if called from the same process, would drain the request from the global list with status STATUS_CLOUD_FILE_PROVIDER_TERMINATED (0xC000CF16). By terminating the process without calling it, this cleanup path is bypassed entirely.

Step 3: Eroding the stream context refcount

Removing files and placeholders from the sync root directory (e.g., via rmdir /s /q) causes NTFS file close operations. Each file close traverses the NTFS → FltMgr cleanup path, which calls FltReleaseContext on cached stream context references. This erodes the HSM_STREAM_CONTEXT refcount, eventually leaving the orphaned timer-list request as the sole remaining reference (refcount == 1).

Step 4: Timer expiry and the UAF trigger

Approximately 60 seconds after the request was inserted (Step 1), its deadline expires. We trigger the timer walk by calling the undocumented CfQueryProgress API, which sends port command 0x4001 to \CLDMSGPORT. In the kernel, this enters:

CfQueryProgress → FilterSendMessage (port cmd 0x4001) → CldiPortProcessFilterControl → CldiPortProcessQueryProgress → CldStreamQueryProgress → CldiStreamRestartCountdownTimer → CldiStreamStartCountdownTimer(bCancelAll=0)

CldiStreamStartCountdownTimer walks the global request list and cancels all expired requests:

```c do { AcquireResourceExclusive(&Resource);

if (ListEmpty) break;

pRequest = HEAD of list;
deadline = pRequest->DeadlineTimestamp;

if (deadline > currentTime)      // NOT expired
    break;                       // re-arm timer for remaining time

// EXPIRED:
RemoveFromGlobalList(pRequest);
pRequest->RemovedFromGlobalList = 1;

ReleaseResource(&Resource);

if (pRequest->MasterRequest)
    FltCancelIo(pRequest->MasterRequest->UserCbd);  // CVE-2023-29361 path (IRP-based)
else
    CldiStreamCancelSynchronousRequest(pRequest);    // OUR vulnerability path (no IRP)

} while (1); ```

Our request has MasterRequest == NULL because it was created by CfReportProviderProgress2 (a provider-initiated operation with no associated user I/O request). This takes the CldiStreamCancelSynchronousRequest path, which eventually calls CldiStreamCompleteRequest.

Step 5: CldiStreamCompleteRequest - UAF

When cldflt crashes we see the following state:

6: kd> kb # RetAddr : Args to Child : Call Site 00 fffff807`7d540e8c : 00000000`00000000 00000000`00000000 ffffcb82`900f2a80 00000000`00000000 : cldflt!CldiStreamCompleteRequest+0x12f 01 fffff807`7d540a60 : 00000000`00000000 ffffcb82`900f2a80 ffffc80b`34feea68 ffffa685`a7a86f10 : cldflt!CldiStreamCompleteCanceledRequest+0x234 02 fffff807`7d534ec0 : 01dcec7b`5946f732 ffffcb82`900f2a80 00000000`00000002 00000000`00000100 : cldflt!CldiStreamCancelSynchronousRequest+0x68 03 fffff807`7d5376ee : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cldflt!CldiStreamStartCountdownTimer+0x150 04 fffff807`7d57cc0f : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000100 : cldflt!CldiStreamRestartCountdownTimer+0x66 05 fffff807`7d57b50c : 00000000`00000001 0000000e`dabfdf90 00000000`00001c20 ffffc80b`34feed68 : cldflt!CldStreamQueryProgress+0x168b 06 fffff807`7d57b209 : 00000000`00004001 00000000`00000000 00000001`00001c20 ffffcb82`90f6cf20 : cldflt!CldiPortProcessQueryProgress+0x2b4 07 fffff807`7d54af49 : 00000000`00004001 00000000`00000000 00000000`00000000 00000000`00000000 : cldflt!CldiPortProcessFilterControl+0x4d 08 fffff801`4f233622 : ffffcb82`90ee6ee0 0000000e`dabfde30 00000000`000000e0 0000000e`dabfddb0 : cldflt!CldiPortNotifyMessage+0xcc9 09 fffff801`4f27f632 : ffffa685`af8dad60 0000000e`dabfde30 ffffa685`af8dae30 fffff801`be5259c0 : FLTMGR!FltpFilterMessage+0x162 0a fffff801`4f23b9c3 : ffffa685`af8dad60 ffffc80b`34fef0d0 ffffa685`a05a4bf0 00000000`00000000 : FLTMGR!FltpMsgDispatch+0xf2 0b fffff801`bd96ccfb : ffffc80b`34fef008 00000000`00060000 ffffa685`b0624ac0 fffff801`bdf561b9 : FLTMGR!FltpDispatch+0x133 0c fffff801`bd96cc73 : ffffa685`b0624ac0 ffffa685`b0624ac0 00000020`00000000 00000000`00000000 : nt!IopfCallDriver+0x5b 0d fffff801`bdfdb3a5 : ffffa685`b0624ac0 ffffc80b`34fef0d0 ffffa685`a05a4bf0 00000000`00000000 : nt!IofCallDriver+0x13 0e fffff801`bdfda1ec : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000001 : nt!IopSynchronousServiceTail+0x1c5 0f fffff801`bdfd983e : 00000000`00000000 fffff801`bda3ce9f 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x99c 10 fffff801`bddcc558 : 00000000`00000000 00000000`00000000 0000000e`da776000 00000000`00000000 : nt!NtDeviceIoControlFile+0x5e 11 00007ffd`b8de1d84 : 00007ffd`aa833bc2 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28 12 00007ffd`aa833bc2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0x14 13 00007ffd`aa8331a1 : 00000000`00000000 0000000e`dabfdf80 00000000`00000000 00000000`00000000 : FLTLIB!FilterpDeviceIoControl+0x13e 14 00007ffd`a4503434 : 00000000`00000000 00000000`00000000 0000000e`dabfde70 00000000`00000000 : FLTLIB!FilterSendMessage+0x31 15 00007ff7`9cb147fc : 00000000`00000000 00000000`00000000 ffffffff`ffffd8f0 00000000`00000000 : cldapi!CfQueryProgress+0x3f4 16 00000000`00000000 : 00000000`00000000 ffffffff`ffffd8f0 00000000`00000000 00000000`00000032 : poc+0x47fc 6: kd> r rax=0000000000000036 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000034 rsi=ffffcb82900f2a80 rdi=0000000000000000 rip=fffff8077d58435b rsp=ffffc80b34fee920 rbp=ffffcb8290ebaf80 r8=0000000000000036 r9=0000000000000001 r10=fffff801bd91de80 r11=ffffa685abe1c430 r12=00000000c000cf1f r13=00270000000289b7 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040282 cldflt!CldiStreamCompleteRequest+0x12f: fffff807`7d58435b 488b4500 mov rax,qword ptr [rbp] ss:0018:ffffcb82`90ebaf80=????????????????

To have a better picture let us take a glance on the most important parts of CldiStreamCompleteRequest:

C++ Line 1 void __fastcall CldiStreamCompleteRequest( Line 2 HSM_STREAM_HANDLE_CONTEXT *pStreamHandleCtx, Line 3 CLD_STREAM_REQUEST *pRequest, Line 4 __int64 completionStatus, Line 5 unsigned int cancelFlags) Line 6 { Line 7 Line 8 (...) Line 9 if ( (unsigned int)Feature_H2E_WPA3SAE__private_IsEnabledDeviceUsage_1() ) //Code introduced in May update Line 10 { Line 11 CldiStreamDeleteRequest(pRequest); // <-- First FREE REQUEST ?! Line 12 CldiStreamCdqRELEASE((PFLT_CALLBACK_DATA_QUEUE)(*((_QWORD *)pStreamHandleCtx->pStreamCtx + 1) + 144LL), v15);// UAF!!! Line 13 } Line 14 else Line 15 { Line 16 if ( !pRequest->TimeoutType ) Line 17 CldiStreamCdqRELEASE((PFLT_CALLBACK_DATA_QUEUE)(*((_QWORD *)pStreamHandleCtx->pStreamCtx + 1) + 144LL), v14); Line 18 CldiStreamDeleteRequest(pRequest); Line 19 }

We can see that in line 11 our request will be freed. Let us remind that pRequest keeps the following fields in its structure : pRequest->pStreamHandleCtx and pStreamHandleCtx->pStreamCtx Inside CldiStreamDeleteRequest function, FltReleaseContext drops the stream context refcount. Since our orphaned request holds the last reference (refcount == 1 after Step 3), the refcount drops to zero. This synchronously triggers the FltMgr cleanup callback chain — on the same thread, in the same call stack: CldiStreamDeleteRequest+0xC5: FltReleaseContext(pStreamCtx) → FltMgr: refcount → 0, invoke cleanup callback → HsmFltDeleteSTREAM_CONTEXT+0x1E → CldHsmDeleteStreamContext+0x1B → CldStreamClose+0x154: ExFreePoolWithTag(pCldStream, 'Clst') ← POOL BLOCK FREED

When execution returns to CldiStreamCompleteRequest, it attempts CldiStreamCdqRELEASE which dereferences pStreamHandleCtx->pStreamCtx — a pointer to the just-freed pool block. We can verify the rbp value from the crash:

6: kd> !verifier 0x80 ffffcb82`90ebaf80 ====================================================================== Pool block ffffcb8290ebaf80, Size 0000000000000080, Thread ffffa685ad7e7080 fffff801bda59700 nt!ExpFreePoolChecks+0x40 fffff801be282eca nt!ExFreePoolWithTag+0x165a fffff801bdd2b8cc nt!DifExFreePoolWithTagWrapper+0xdc fffff8077d5737b0 cldflt!CldStreamClose+0x160 fffff8077d57362b cldflt!CldHsmDeleteStreamContext+0x1b fffff8077d57400e cldflt!HsmFltDeleteSTREAM_CONTEXT+0x1e fffff8014f223c57 FLTMGR!FltReleaseContext+0x437 fffff8077d534ce1 cldflt!CldiStreamDeleteRequest+0xc5 fffff8077d58435b cldflt!CldiStreamCompleteRequest+0x12f fffff8077d540e8c cldflt!CldiStreamCompleteCanceledRequest+0x234 fffff8077d540a60 cldflt!CldiStreamCancelSynchronousRequest+0x68 fffff8077d534ec0 cldflt!CldiStreamStartCountdownTimer+0x150 fffff8077d5376ee cldflt!CldiStreamRestartCountdownTimer+0x66 fffff8077d57cc0f cldflt!CldStreamQueryProgress+0x168b fffff8077d57b50c cldflt!CldiPortProcessQueryProgress+0x2b4 fffff8077d57b209 cldflt!CldiPortProcessFilterControl+0x4d fffff8077d54af49 cldflt!CldiPortNotifyMessage+0xcc9 fffff8014f233622 FLTMGR!FltpFilterMessage+0x162 fffff8014f27f632 FLTMGR!FltpMsgDispatch+0xf2 fffff8014f23b9c3 FLTMGR!FltpDispatch+0x133 fffff801bd96ccfb nt!IopfCallDriver+0x5b fffff801bd96cc73 nt!IofCallDriver+0x13 fffff801bdfdb3a5 nt!IopSynchronousServiceTail+0x1c5 fffff801bdfda1ec nt!IopXxxControlFile+0x99c fffff801bdfd983e nt!NtDeviceIoControlFile+0x5e fffff801bddcc558 nt!KiSystemServiceCopyEnd+0x28

The poor object memory management handling has led to a potentially dangerous use-after-free vulnerability, which may consequently result in local privilege escalations.

Crash Information

``` 6: kd> !analyze -v *************************** * * * Bugcheck Analysis * * * ***************************

PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffcb8290ebaf80, memory referenced. Arg2: 0000000000000000, X64: bit 0 set if the fault was due to a not-present PTE. bit 1 is set if the fault was due to a write, clear if a read. bit 3 is set if the processor decided the fault was due to a corrupted PTE. bit 4 is set if the fault was due to attempted execute of a no-execute PTE. - ARM64: bit 1 is set if the fault was due to a write, clear if a read. bit 3 is set if the fault was due to attempted execute of a no-execute PTE. Arg3: fffff8077d58435b, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved)

Debugging Details:

** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2 ** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2 *** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2

KEY_VALUES_STRING: 1

Key  : AV.PTE
Value: Invalid

Key  : AV.Page.Virtual
Value: 0xffffcb8290eb0000

Key  : AV.Type
Value: Read

Key  : Analysis.CPU.mSec
Value: 3875

Key  : Analysis.Elapsed.mSec
Value: 7253

Key  : Analysis.IO.Other.Mb
Value: 2030

Key  : Analysis.IO.Read.Mb
Value: 45

Key  : Analysis.IO.Write.Mb
Value: 5291

Key  : Analysis.Init.CPU.mSec
Value: 1395312

Key  : Analysis.Memory.CommitPeak.Mb
Value: 633

Key  : Analysis.Version.DbgEng
Value: 10.0.29547.1002

Key  : Analysis.Version.Description
Value: 10.2602.27.2 amd64fre

Key  : Analysis.Version.Ext
Value: 1.2602.27.2

Key  : Bugcheck.Code.KiBugCheckData
Value: 0x50

Key  : Bugcheck.Code.LegacyAPI
Value: 0x50

Key  : Bugcheck.Code.TargetModel
Value: 0x50

Key  : Failure.Bucket
Value: AV_VRF_cldflt!CldiStreamCompleteRequest

Key  : Failure.Exception.IP.Address
Value: 0xfffff8077d58435b

Key  : Failure.Exception.IP.Module
Value: cldflt

Key  : Failure.Exception.IP.Offset
Value: 0x8435b

Key  : Failure.Hash
Value: {61f2862e-d255-0a0b-0f7e-ddec7a333e8f}

Key  : Faulting.IP.Type
Value: Paged

Key  : Hypervisor.Enlightenments.ValueHex
Value: 0x6090ebf4

Key  : Hypervisor.Flags.AnyHypervisorPresent
Value: 1

Key  : Hypervisor.Flags.ApicEnlightened
Value: 1

Key  : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0

Key  : Hypervisor.Flags.AsyncMemoryHint
Value: 0

Key  : Hypervisor.Flags.CoreSchedulerRequested
Value: 0

Key  : Hypervisor.Flags.CpuManager
Value: 0

Key  : Hypervisor.Flags.DeprecateAutoEoi
Value: 0

Key  : Hypervisor.Flags.DynamicCpuDisabled
Value: 1

Key  : Hypervisor.Flags.Epf
Value: 0

Key  : Hypervisor.Flags.ExtendedProcessorMasks
Value: 1

Key  : Hypervisor.Flags.HardwareMbecAvailable
Value: 1

Key  : Hypervisor.Flags.MaxBankNumber
Value: 0

Key  : Hypervisor.Flags.MemoryZeroingControl
Value: 0

Key  : Hypervisor.Flags.NoExtendedRangeFlush
Value: 0

Key  : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0

Key  : Hypervisor.Flags.Phase0InitDone
Value: 1

Key  : Hypervisor.Flags.PowerSchedulerQos
Value: 0

Key  : Hypervisor.Flags.RootScheduler
Value: 0

Key  : Hypervisor.Flags.SynicAvailable
Value: 1

Key  : Hypervisor.Flags.UseQpcBias
Value: 0

Key  : Hypervisor.Flags.Value
Value: 659693

Key  : Hypervisor.Flags.ValueHex
Value: 0xa10ed

Key  : Hypervisor.Flags.VpAssistPage
Value: 1

Key  : Hypervisor.Flags.VsmAvailable
Value: 1

Key  : Hypervisor.RootFlags.AccessStats
Value: 0

Key  : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0

Key  : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0

Key  : Hypervisor.RootFlags.DisableHyperthreading
Value: 0

Key  : Hypervisor.RootFlags.HostTimelineSync
Value: 0

Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0

Key  : Hypervisor.RootFlags.IsHyperV
Value: 0

Key  : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0

Key  : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0

Key  : Hypervisor.RootFlags.MceEnlightened
Value: 0

Key  : Hypervisor.RootFlags.Nested
Value: 0

Key  : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0

Key  : Hypervisor.RootFlags.Value
Value: 0

Key  : Hypervisor.RootFlags.ValueHex
Value: 0x0

Key  : SecureKernel.HalpHvciEnabled
Value: 0

Key  : WER.OS.Branch
Value: ge_release

Key  : WER.OS.Version
Value: 10.0.26100.1

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffcb8290ebaf80

BUGCHECK_P2: 0

BUGCHECK_P3: fffff8077d58435b

BUGCHECK_P4: 0

FAULTING_THREAD: ffffa685ad7e7080

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffcb8290ebaf80

READ_ADDRESS: ffffcb8290ebaf80 Special pool

PROCESS_NAME: poc.exe

IP_IN_PAGED_CODE: cldflt!CldiStreamCompleteRequest+12f fffff807`7d58435b 488b4500 mov rax,qword ptr [rbp]

STACK_TEXT:
*** WARNING: Unable to verify checksum for poc.exe Unable to load image C:\repro_stream_uaf\poc.exe, Win32 error 0n2 ffffc80b34fedcf8 fffff801bdcbfa92 : ffffc80b34fedd78 0000000000000001 0000000000000080 fffff801bddd2a01 : nt!DbgBreakPointWithStatus ffffc80b34fedd00 fffff801bdcbefbe : 0000000000000003 ffffc80b34fede60 fffff801bddd2c90 ffffc80b34fee420 : nt!KiBugCheckDebugBreak+0x12 ffffc80b34fedd60 fffff801bdc08557 : 0000000000000000 fffff801bda1caf2 0000000000000003 0000000000000003 : nt!KeBugCheck2+0xb2e ffffc80b34fee4f0 fffff801bda1e89d : 0000000000000050 ffffcb8290ebaf80 0000000000000000 ffffc80b34fee790 : nt!KeBugCheckEx+0x107 ffffc80b34fee530 fffff801bd953e96 : 0000000000000000 ffff800000000000 ffffcb8290ebaf80 0000007ffffffff8 : nt!MiSystemFault+0x78d ffffc80b34fee620 fffff801bddc80cb : ffffcb8290ebaf80 ffffcb8290ebaf80 0000000000000000 ffffa685a3dad420 : nt!MmAccessFault+0x646 ffffc80b34fee790 fffff8077d58435b : 0000000000000000 ffffcb82900f2a80 0000000000000000 0000400100000001 : nt!KiPageFault+0x38b ffffc80b34fee920 fffff8077d540e8c : 0000000000000000 0000000000000000 ffffcb82900f2a80 0000000000000000 : cldflt!CldiStreamCompleteRequest+0x12f ffffc80b34fee9a0 fffff8077d540a60 : 0000000000000000 ffffcb82900f2a80 ffffc80b34feea68 ffffa685a7a86f10 : cldflt!CldiStreamCompleteCanceledRequest+0x234 ffffc80b34feea40 fffff8077d534ec0 : 01dcec7b5946f732 ffffcb82900f2a80 0000000000000002 0000000000000100 : cldflt!CldiStreamCancelSynchronousRequest+0x68 ffffc80b34feea70 fffff8077d5376ee : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : cldflt!CldiStreamStartCountdownTimer+0x150 ffffc80b34feeaa0 fffff8077d57cc0f : 0000000000000000 0000000000000000 0000000000000002 0000000000000100 : cldflt!CldiStreamRestartCountdownTimer+0x66 ffffc80b34feeae0 fffff8077d57b50c : 0000000000000001 0000000edabfdf90 0000000000001c20 ffffc80b34feed68 : cldflt!CldStreamQueryProgress+0x168b ffffc80b34feecc0 fffff8077d57b209 : 0000000000004001 0000000000000000 0000000100001c20 ffffcb8290f6cf20 : cldflt!CldiPortProcessQueryProgress+0x2b4 ffffc80b34feed30 fffff8077d54af49 : 0000000000004001 0000000000000000 0000000000000000 0000000000000000 : cldflt!CldiPortProcessFilterControl+0x4d ffffc80b34feed60 fffff8014f233622 : ffffcb8290ee6ee0 0000000edabfde30 00000000000000e0 0000000edabfddb0 : cldflt!CldiPortNotifyMessage+0xcc9 ffffc80b34feee70 fffff8014f27f632 : ffffa685af8dad60 0000000edabfde30 ffffa685af8dae30 fffff801be5259c0 : FLTMGR!FltpFilterMessage+0x162 ffffc80b34feeee0 fffff8014f23b9c3 : ffffa685af8dad60 ffffc80b34fef0d0 ffffa685a05a4bf0 0000000000000000 : FLTMGR!FltpMsgDispatch+0xf2 ffffc80b34feef50 fffff801bd96ccfb : ffffc80b34fef008 0000000000060000 ffffa685b0624ac0 fffff801bdf561b9 : FLTMGR!FltpDispatch+0x133 ffffc80b34feeff0 fffff801bd96cc73 : ffffa685b0624ac0 ffffa685b0624ac0 0000002000000000 0000000000000000 : nt!IopfCallDriver+0x5b ffffc80b34fef030 fffff801bdfdb3a5 : ffffa685b0624ac0 ffffc80b34fef0d0 ffffa685a05a4bf0 0000000000000000 : nt!IofCallDriver+0x13 ffffc80b34fef060 fffff801bdfda1ec : 0000000000000000 0000000000000001 0000000000000001 0000000000000001 : nt!IopSynchronousServiceTail+0x1c5 ffffc80b34fef110 fffff801bdfd983e : 0000000000000000 fffff801bda3ce9f 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x99c ffffc80b34fef380 fffff801bddcc558 : 0000000000000000 0000000000000000 0000000eda776000 0000000000000000 : nt!NtDeviceIoControlFile+0x5e ffffc80b34fef3f0 00007ffdb8de1d84 : 00007ffdaa833bc2 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28 0000000edabfdca8 00007ffdaa833bc2 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtDeviceIoControlFile+0x14 0000000edabfdcb0 00007ffdaa8331a1 : 0000000000000000 0000000edabfdf80 0000000000000000 0000000000000000 : FLTLIB!FilterpDeviceIoControl+0x13e 0000000edabfdd20 00007ffda4503434 : 0000000000000000 0000000000000000 0000000edabfde70 0000000000000000 : FLTLIB!FilterSendMessage+0x31 0000000edabfdd70 00007ff79cb147fc : 0000000000000000 0000000000000000 ffffffffffffd8f0 0000000000000000 : cldapi!CfQueryProgress+0x3f4 0000000edabfdf60 0000000000000000 : 0000000000000000 ffffffffffffd8f0 0000000000000000 0000000000000032 : poc+0x47fc

SYMBOL_NAME: cldflt!CldiStreamCompleteRequest+12f

MODULE_NAME: cldflt

IMAGE_NAME: cldflt.sys

STACK_COMMAND: .process /r /p 0xffffa685b001a080; .thread /r /p 0xffffa685ad7e7080 ; kb

BUCKET_ID_FUNC_OFFSET: 12f

FAILURE_BUCKET_ID: AV_VRF_cldflt!CldiStreamCompleteRequest

OS_VERSION: 10.0.26100.1

BUILDLAB_STR: ge_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {61f2862e-d255-0a0b-0f7e-ddec7a333e8f}

Followup: MachineOwner

```

Vendor Response (CVE-2026-58613)

Vendor Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58613

Timeline

2026-06-01 - Vendor Disclosure
2026-07-14 - Vendor Patch Release
2026-07-14 - Public Release

Credit

Marcin 'Icewall' Noga of Cisco Talos