Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936 The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for writing output. Crashing context with PoC (Win 10 x64 with 372.54): KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. ... rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8 r8=fffff801f4169e24 r9=ffffd000287b5620 r10=ffffd000287b5620 r11=0000000000000450 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac pe nc dxgkrnl!_report_gsfailure+0x5: fffff801`f4152b75 cd29 int 29h Resetting default scope EXCEPTION_RECORD: ffffd000287b4228 -- (.exr 0xffffd000287b4228) ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000002 Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE To reproduce, compile the PoC as a x64 binary (requires linking with setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes as for it to work as the escape data must contain the right values (e.g. a field that appears to be gpu bus device function). My PoC should hopefully set all the right values for the machine it's running on. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40662.zip