Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944 The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks: ... if ( g_saved_size ) { escape->size = g_saved_size; if ( (unsigned int)g_saved_size > 0 ) { do { v5 = v2++; escape->data[v5] = global_array[v5 + 77]; } while ( v2 < g_saved_size ); } return; } data = 0i64; ... if ( escape->size > 0 ) { do { ii = i++; global_array[ii + 77] = escape->data[ii]; } while ( i < escape->size ); ... g_saved_size = escape->size; This handler copies data to/from a global array, but lacks any form of bounds checking, as |escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows when it's copied back into the escape data. A PoC is attached that should cause a crash (Win 10 x64, 372.54): KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based buffer overrun. Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck Arg4: 0000000000000000, Reserved Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40666.zip