CVE 2019 1065 This is a vulnerability in DirectComposition, which is a user-mode graphics component but is managed by win32kbase; so commands are sent to win32kbasesys through syscalls and then delegated to user-mode dwmexe through ALPC It's all c++ so resources are managed through refcounted objects/raii In fact there are a lot of reference counting bugs: reference co