Hw64.sys in Marvin Test HW.exe before 5.0.5.0 allows unprivileged user-mode processes to arbitrarily map physical memory via IOCTL 0x9c406490 (for IoAllocateMdl, MmBuildMdlForNonPagedPool, and MmMapLockedPages), leading to NT AUTHORITYSYSTEM privilege escalation.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.