A couple integer overflows in the the Windows Kernel through the registry, the core problem being that a 16bit integer is used for the Count field storing the number of subkeys inside an index. Under normal circumstances, when adding new subkeys the registry will automatically divide itself so you won’t have more than ~1000 subkeys, but you can import arbitrarily formatted indexes, using this you can craft one with 65535 keys. Add on more key and it will overflow the Count field back to 0.

This becomes an issue in conjunction with the _CM_KEY_NODE.SubKeyCounts[0] value which should remain consistent with the Count field but is a 32bit integer, so Count overflows to 0 and the key is written to index 0, but SubKeyCounts goes beyond 0xFF, so whe doing a lookup by number, the list may be accessed directly by an index greater than 0xFF leading to an out of bounds access.