CVE-2025-49667
win32k.sys — double-free in ICOMP component via GDI/window management APIs
Summary
| Field | Value |
|---|---|
| Driver | win32k.sys (Win32K — ICOMP component) |
| Vulnerability Class | Double Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | July 8, 2025 |
Root Cause
When graphical objects are destroyed, the ICOMP (Image Composition) component loses track of allocation state and frees the same memory block twice. ICOMP handles internal graphical composition for rendering optimization. Specific GDI or window management API call sequences trigger the double-free, corrupting the kernel heap.
Exploitation
The attacker triggers the double-free via carefully sequenced GDI API calls, then manipulates the heap layout to control the contents of the freed memory. Forged kernel objects in the reclaimed region provide an arbitrary write primitive for SYSTEM privilege escalation.
Exploitation Primitive
GDI API sequence → ICOMP object double-free → heap corruption
→ forge kernel objects → arbitrary write → SYSTEM