CVE-2025-30400
Desktop Window Manager — use-after-free in composition surface handling allows SYSTEM escalation
Exploited in the Wild
Actively exploited zero-day. Added to CISA KEV with remediation deadline June 3, 2025.
Summary
| Field | Value |
|---|---|
| Driver | dwmcore.dll (Desktop Window Manager Core Library) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | May 13, 2025 |
Root Cause
The DWM process mismanages reference-counted objects during composition surface and window transitions. Creating and destroying windows in a carefully timed sequence triggers a race condition that frees an object while a reference remains active. The stale pointer dereference then operates on freed memory.
DWM runs as SYSTEM, so any code execution within the DWM process context immediately yields full privileges.
Exploitation
The attacker triggers the race to free a composition surface object prematurely. Heap spraying reclaims the freed memory with controlled data. The stale pointer dereference corrupts process heap structures, giving code execution in the SYSTEM-context DWM process.
Exploitation Primitive
Composition surface race condition → premature free
→ heap spray reclaim → stale pointer dereference
→ code execution in DWM (SYSTEM context)