The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the user provided lengths it receives. When these lengths are passed to memcpy, overreads and memory corruption can occur.
fe4199c90270a4da962ed45b45ddf04bfdf0f113751182e41c3f39b735a8f2c9