A local attacker can execute arbitrary code as another user by exploiting improper bounds checking in the regedit.exe program. By trapping a key in the registry and having a non-informed user browse it with regedit.exe, the attacker can execute an arbitrary command without the user's knowledge. The vulnerability is caused by a misused RegEnumValueW function in regedit.exe.