The Windows DeviceApi CMApi PnpCtxRegOpenCurrentUserKey function doesn't check the impersonation level of the current effective token allowing a normal user to create arbitrary registry keys in another user's loaded hive leading to elevation of privilege.
2e1231f4bf4a445eede4130d674c86c027caab38c9470a664b4e7bdf8a7fe1ea