There is no access counters for _SESSION and HTTP_SESSION_VARS variables, making it possible to trigger use-after-free conditions by unsetting these variables. In addition, it's possible to deserealize these variables.
During exceptions handling on \Device\NdisTapi device request handling URQL is not returned from DISPATCH level on switching to user mode, leading to crash (BSOD) with IRQL_LESS_THAN_NOT_EQUAL on accessing paged memory.
During file operations conditions exist for attacker to gain access to content of protected or locked files. It's also possible to create unmanageble file.