Buffer overflow on PNP_GetDeviceList and PNP_GetDeviceListSize calls for anonymous user on Windows 2000 and authenticated user on Windows 2003 / XP. There is another one similar vulnerability, leading to memory leak with DoS conditions.
vulners.com/securityvulns/securityvulns:doc:9904
vulners.com/securityvulns/securityvulns:doc:9916