Patch diff to SYSTEM

This write-up analyzes a Use-After-Free in CSynchronousSuperWetInk in dwmcore.dll (Windows DWM) that allows a local unprivileged process using DirectComposition to create a dangling pointer and trigger a virtual call leading to arbitrary code execution and escalation to SYSTEM; it includes the bug root cause, the Microsoft patch behavior, a full exploit which reclaims the freed allocation via a CRegionGeometry RECT spray (GetRECT), and a CFG-respecting gadget chain that makes the sprayed region executable and runs inline shellcode to spawn cmd.exe.