ELASTIC Security Labs detail a Use-After-Free vulnerability in Windows Desktop Window Manager (DWM) that enables reliable local privilege escalation from a low-privilege user to SYSTEM, demonstrated through a working exploit and a patch discussion. The flaw is within the destructor of CSynchronousSuperWetInk in dwmcore[.]dll version 10.0.26100.7309, where IsSuperWetCompatible() governs whether RemoveSource() executes, leaving a dangling pointer when LookupMode is changed to bypass removal.
The researchers describe a multi-stage exploit that begins with the DirectComposition API to allocate a CSynchronousSuperWetInk object, then manipulates LookupMode and triggers destruction to create a dangling reference, ultimately invoking DirtyActiveInk to dereference the freed vtable. A 288-byte spray (18 RECTs) is used to reclaim the freed object with a controlled vtable, enabling a Use-After-Free path to code execution via a CFG-valid gadget chain ending in cmd[.]exe execution.
The fix introduces a feature flag (Feature_1732988217) so RemoveSource() runs unconditionally, eliminating the dangling pointer, and the team notes they have withheld publishing the full technique at this time.