A user-space attacker could abuse it to essentially trick the kernel into calling an arbitrary pointer, ... allowing the attacker to call an arbitrary kernel function with a high degree of control over the first argument.
Some Windows components and configurations are explicitly not intended to provide a robust security boundary. Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion.
[
add
]
[
|
|
...
]