CVE-2025-27732
win32k.sys -- improper memory locking allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | win32k.sys (Win32K - GRFX) |
| Vulnerability Class | Improper Memory Locking |
| CVSS | 7.0 |
| Exploited ITW | No |
| Patch Date | April 8, 2025 |
Root Cause
The Win32K graphics component manages memory pages that back graphical objects, surfaces, and shared sections used during window composition. Some of these pages need to be locked into physical memory during certain operations to prevent them from being paged out while kernel code is actively reading or writing them.
CVE-2025-27732 occurs when win32k.sys fails to properly lock memory pages during a graphical operation. The pages remain unlocked and subject to concurrent modification or reallocation while kernel code still holds references to them. If another thread accesses the same pages during this window, it can modify memory that the first thread assumes is stable, leading to kernel memory corruption.
The CVSS score of 7.0 (rather than the more common 7.8 for EoP bugs) reflects the timing complexity: the attacker needs to win a race between the unlocked access and a concurrent modification, which adds an element of unreliability to exploitation.
Exploitation
The attacker creates concurrent graphical operations that target the same memory-backed resources. One thread triggers the code path where the memory pages should be locked but are not. A second thread modifies the unlocked pages during the window of vulnerability.
The resulting corruption depends on what graphical object the pages back. If the attacker can control the content written by the second thread, they can forge kernel data structures or corrupt reference counts. From there, standard kernel exploitation techniques convert the corruption into SYSTEM privilege escalation.
Exploitation Primitive
Graphical operation with improper page locking
--> concurrent thread modifies unlocked pages
--> kernel memory corruption
--> privilege escalation --> SYSTEM
Broader Significance
Memory locking bugs are a subtle variant of race conditions. Rather than racing on object state, the race is on page state: whether a page is resident and stable in physical memory while kernel code operates on it. CVE-2025-27732 adds to the growing evidence that win32k's synchronization model has gaps not just in object reference counting (the source of its many UAF bugs) but also in its memory management primitives. For researchers auditing win32k, this suggests that looking beyond traditional UAF and race patterns, into page table and memory mapping handling, may yield additional findings.