Another type confusion spawned from the usage of unions. This bug occurred in the COM+ (Component Object Model) event system services’ InMemoryRegRow::PutPropertyBag() method when handling PROPVARIANT objects (a generic container object that can hold integers or COM pointers). This function will take two PROPVARIANT objects as input which are expected to have a vector of strings and a vector of PROPVARIANTS, but it never actually validates and checks the variant type. They assume the type is going to be the CAPROPVARIANT they expect. As an attacker, you can supply a VT_BLOB variant type instead (which points to data you control), which you can use to fake a VT_UNKNOWN object and eventually get a crafted vtable followed for code execution.