NDKPing.sys: a NULL SystemBuffer deref you can blue-screen on demand
โ glaurung flagged an ioctl dispatcher in the windows NDK diagnostic driver that loads Irp->AssociatedIrp.SystemBuffer and dereferences it without a null check. a METHOD_BUFFERED ioctl with zero-length input and output leaves SystemBuffer NULL, and every case body reads [NULL+0x28]. reproduced live as bugcheck 0x3B โ but it is admin-only, which is exactly why microsoft will not fix it.