CVE-2025-58722
dwmcore.dll -- memory corruption in Desktop Window Manager allows SYSTEM escalation
Summary
| Field | Value |
|---|---|
| Driver | dwmcore.dll (Desktop Window Manager Core Library) |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | October 14, 2025 |
Root Cause
This is the second of three DWM vulnerabilities patched in the October 2025 cycle, alongside CVE-2025-55681 (out-of-bounds access) and CVE-2025-59254 (memory handling flaw). The exact technical details of CVE-2025-58722 have not been publicly disclosed beyond Microsoft's advisory, but the vulnerability class and attack surface are consistent with the other two.
The Desktop Window Manager runs as SYSTEM and processes composition operations from all user sessions. Any memory corruption within dwmcore.dll that an attacker can trigger through window management APIs translates directly to code execution with SYSTEM privileges. The DWM process handles untrusted input in the form of window properties, surface dimensions, composition parameters, and rendering directives from every application on the desktop.
The fact that three separate DWM vulnerabilities were patched simultaneously suggests that Microsoft conducted a focused audit of the composition engine and found multiple issues. Each likely represents a different code path where user-influenced values reach memory operations without adequate validation.
Exploitation
The attacker triggers the vulnerability through crafted DWM operations, using standard window management and composition APIs. The resulting memory corruption within the DWM process provides a primitive for code execution in SYSTEM context.
Because DWM is a user-mode process, the exploitation does not require kernel-mode techniques like pool spraying or token manipulation. The attacker corrupts DWM's own address space to redirect execution, achieving SYSTEM privileges through the DWM process's existing security context.
Exploitation Primitive
Crafted DWM composition operation -> memory corruption
-> code execution in DWM process (SYSTEM context)
Broader Significance
Three DWM vulnerabilities in a single patch cycle highlight the composition engine as an emerging attack surface. DWM's architectural position, running as SYSTEM while processing input from unprivileged applications, makes it structurally similar to a setuid binary in Unix terms. Any input validation gap becomes a privilege escalation. As Microsoft hardens kernel attack surfaces with HVCI, VBS, and kernel CFI, attackers may increasingly target SYSTEM-level user-mode services like DWM as an alternative path to full system compromise.