CVE-2025-55681
dwmcore.dll -- out-of-bounds access in composition surface allows SYSTEM escalation
Summary
| Field | Value |
|---|---|
| Driver | dwmcore.dll (Desktop Window Manager Core Library) |
| Vulnerability Class | Out-of-Bounds Access |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | October 14, 2025 |
Root Cause
The Desktop Window Manager (DWM) is the compositing window manager that renders the Windows desktop. It runs as a SYSTEM-level process, meaning any code execution within DWM immediately grants full system privileges. The dwmcore.dll library implements the core composition engine.
The vulnerability exists in how DWM handles composition surface operations. When processing certain surface manipulations, the code indexes into an internal array without validating that the index falls within the array's bounds. A crafted composition operation supplies an index value that exceeds the array's size, causing the code to read or write memory beyond the allocation boundary.
Because DWM is a user-mode process (albeit a highly privileged one), the out-of-bounds access does not directly corrupt kernel memory. Instead, it corrupts DWM's own process memory, which runs as SYSTEM. This makes the exploitation model different from kernel driver vulnerabilities: the attacker does not need kernel pool spraying or token swapping. Corrupting DWM's internal state is sufficient to hijack execution within a SYSTEM-context process.
Exploitation
The attacker interacts with the DWM composition pipeline through standard window management APIs. By creating windows and surfaces with specific properties, the attacker triggers composition operations that pass unchecked index values to the vulnerable array access.
The out-of-bounds read or write corrupts adjacent data within DWM's address space. The attacker shapes the DWM heap to place controlled data adjacent to the target array, so that the OOB access corrupts specific fields. This provides a primitive for redirecting execution within the DWM process, achieving code execution as SYSTEM.
Exploitation Primitive
Crafted window composition operation -> unchecked array index
-> OOB access in dwmcore.dll -> DWM process corruption
-> code execution in DWM (running as SYSTEM)
Broader Significance
DWM vulnerabilities represent a distinct class of SYSTEM escalation that operates entirely in user mode. Unlike kernel driver EoP bugs that require kernel heap manipulation, DWM bugs exploit the architectural decision to run the compositing window manager as SYSTEM. This makes them accessible to researchers with user-mode debugging experience and potentially easier to exploit reliably than kernel-mode bugs. CVE-2025-55681 is one of three DWM vulnerabilities patched in the October 2025 cycle (alongside CVE-2025-58722 and CVE-2025-59254), indicating that DWM's composition engine is receiving increased scrutiny from both attackers and defenders.