CVE-2025-49733: 
vulnerability analysis and mitigation

A use-after-free vulnerability in Windows Win32K - ICOMP (CVE-2025-49733) was discovered and disclosed on July 8, 2025. This vulnerability affects multiple versions of Microsoft Windows, including Windows 10, Windows 11, and Windows Server editions. The vulnerability allows an authorized attacker with local access to elevate privileges on affected systems (NVD, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-416 (Use After Free) affecting the Windows Win32K component, specifically the ICOMP subsystem (NVD).

If successfully exploited, this vulnerability allows an authorized attacker to elevate their privileges on the local system, potentially gaining full system access with high confidentiality, integrity, and availability impacts (NVD).

Microsoft has released security updates to address this vulnerability across multiple affected versions. Updates are available for Windows 10 (1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2019, Windows Server 2022, and Windows Server 2025 (Rapid7).