cve-2025-55680 pushed

Author: ghostbyt3

src/content/breakdowns/CVE-2025-55680.md

@@ -1,6 +1,6 @@
 ---
 title: "CVE-2025-55680 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability"
-pubDate: 2025-04-28
+pubDate: 2025-12-01
 author: "Ghostbyt3"
 tags: ["1day", "cldflt.sys", "windows", "kernel"]
 description: "A vulnerability in Windows Cloud Files Mini Filter Driver arises from mapping user-controlled buffers into kernel space and relying on them for both path validation and file creation. By racing a single-byte change in the shared buffer between these steps, an attacker can bypass validation and create arbitrary files in System32 via a junction, enabling SYSTEM-level privilege escalation through DLL hijacking."
@@ -139,11 +139,13 @@ Before calling `HsmFltProcessCreatePlaceholders()` function, it checks if the in
 
 #### **HsmFltProcessCreatePlaceholders()**
 
-![image.png](/img/cve-2025-55680/image%204.png)
 
-- It checks the user input buffer size (1️⃣) and moving on it calls `HsmpRelativeStreamOpen()` function (2️⃣) which verifies the directory provided in `BaseDirectoryPath` (member of **`CfCreatePlaceholders()`** function) is a registered sync root and check permissions and returns a handle.
+- The function checks the user input buffer size (1️⃣) and and it calls `HsmpRelativeStreamOpen()` function (2️⃣) which verifies the directory provided in `BaseDirectoryPath` (member of **`CfCreatePlaceholders()`** function) is a registered sync root and check permissions and returns a handle.
 - Finally, it calls (3️⃣) the vulnerable function `HsmpOpCreatePlaceholders()` with the user buffer, also with the sync root directory handle.
 
+![image.png](/img/cve-2025-55680/image%204.png)
+
+
 **HsmpOpCreatePlaceholders()**
 
 The `CREATE_PLACEHOLDER_STRUCT` structure is `Payload` here and first it calls `IoAllocateMdl()` to allocates a memory descriptor list (MDL) large enough to map a buffer, this is to map the user space buffer to kernel space.