CVE-2025-49733
win32k.sys — use-after-free in ICOMP component allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | win32k.sys (Win32K - ICOMP) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | July 8, 2025 |
Root Cause
When graphical objects are destroyed, the ICOMP component loses track of internal state and frees an object while a reference remains active. The stale pointer dereference hits freed memory, which the attacker reclaims with controlled data.
Exploitation
The attacker triggers the UAF through specific graphical object creation and destruction sequences. Heap spraying reclaims the freed memory for a kernel corruption primitive that yields SYSTEM.
Exploitation Primitive
Graphical object destruction → UAF in ICOMP
→ heap reclaim → kernel corruption → SYSTEM