A double free condition in win32k.sys can be triggered by first linking and then destroying a set of Cursor Objects. This allows unprivileged local user to cause null dereference in kernel mode, which produces a BSoD.
CVE Link
Exploit Platform
Exploit Type
Product Name