CVE-2025-64680
dwmcore.dll -- heap-based buffer overflow in Desktop Window Manager composition surface processing
Summary
| Field | Value |
|---|---|
| Driver | dwmcore.dll (Desktop Window Manager Core Library) |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | December 9, 2025 |
Context
The Desktop Window Manager runs as a SYSTEM-level process, compositing all visible windows on the desktop. Because DWM operates at SYSTEM, any code execution within the DWM process grants full privileges without needing a separate kernel exploit. This makes DWM bugs functionally equivalent to kernel EoP vulnerabilities from an attacker's perspective, even though dwmcore.dll is technically a user-mode library.
CVE-2025-64680 is the sixth DWM vulnerability in the KernelSight corpus. The series includes the ITW-exploited CVE-2025-30400 (use-after-free in composition surfaces) and the February 2026 zero-day CVE-2026-21519 (type confusion). DWM has quietly become one of the most productive EoP attack surfaces alongside win32k and CLFS.
Root Cause
A heap-based buffer overflow in the DWM Core Library occurs during composition surface processing. The driver allocates a heap buffer for surface data but does not validate the size of incoming composition parameters against the allocation. Writing past the buffer boundary corrupts adjacent heap objects within the DWM process's address space.
Since DWM runs as SYSTEM, the attacker does not need to escape the process. Corrupting the right heap object within DWM is sufficient for arbitrary code execution with full privileges.
Exploitation
The attacker triggers the heap overflow through crafted composition surface operations. These operations are reachable from any interactive session through the DWM's public interfaces. The overflow corrupts adjacent heap objects, and the attacker controls the overflow content through the crafted surface parameters. Heap grooming places a target object (such as a vtable-bearing COM object or a function pointer structure) adjacent to the vulnerable allocation. When DWM dereferences the corrupted object, it executes attacker-controlled code in the SYSTEM context.
Exploitation Primitive
Crafted composition surface --> heap buffer overflow
--> adjacent object corruption --> code execution in DWM (SYSTEM)
Broader Significance
DWM vulnerabilities highlight a gap in Windows security architecture. While the kernel has benefited from mitigations like kCFG, SMEP, and pool hardening, the DWM process runs with SYSTEM privileges in user mode, where many of these mitigations do not apply. User-mode heap exploitation techniques that were mitigated in browsers years ago may still work against DWM, making it an attractive target for attackers who find kernel exploitation too costly.