KERNEL_MODE_HEAP_CORRUPTION with unknown arg1 value

Hi everyone,
I'm testing my minifilter driver in the latest version of windows 11 (24h2 KB5052093). To my surprise it is throwing a BSOD for this version of windows even though it works for 23h2 and all versions of win10.
Furthermore the bug check im getting is KERNEL_MODE_HEAP_CORRUPTION with argument 1 set to 0x17, which is not documented in Windows' docs.

The results from the memory dump are pretty inconclusive. At first the debugger was pointing to one ExAllocatePoolWithTag() line. After commenting out that part, the debugger points to a different ExAllocatePoolWithTag(), and so on, until my driver does not even show up in the call stack. If i remove enough functionality from my driver it eventually "works", but it is impossible to pinpoint one specific section of code.

I have checked the changelog for windows 11 24h2 but i haven't seen any references to changes to the kernel heap manager. Does anyone have any clue on why this might be happening? Or what arg1:0x17 means?
Thank you all in advance for taking your time to read this.

Here is the output of the dump analysis for my driver without any modifications:

KERNEL_MODE_HEAP_CORRUPTION (13a)
The kernel mode heap manager has detected corruption in a heap.
Arguments:
Arg1: 0000000000000017, Type of corruption detected
Arg2: ffffe78f5a100380, Address of the heap that reported the corruption
Arg3: ffffe78f5c032160, Address at which the corruption was detected
Arg4: 0000000000000000

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 10.0.26100.3323 (WinBuild.160101.0800)

DUMP_TYPE: 0

BUGCHECK_P1: 17

BUGCHECK_P2: ffffe78f5a100380

BUGCHECK_P3: ffffe78f5c032160

BUGCHECK_P4: 0

CPU_COUNT: 2

CPU_MHZ: 900

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 8e

CPU_STEPPING: c

CPU_MICROCODE: 6,8e,c,0 (F,M,S,R) SIG: FFFFFFFF'00000000 (cache) FFFFFFFF'00000000 (init)

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x13A

PROCESS_NAME: System

CURRENT_IRQL: 2

ANALYSIS_SESSION_HOST: -redacted-

ANALYSIS_SESSION_TIME: 03-05-2025 12:02:54.0531

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

LOCK_ADDRESS: fffff803cd58a6a0 -- (!locks fffff803cd58a6a0)

Resource @ nt!PiEngineLock (0xfffff803cd58a6a0) Exclusively owned
Contention Count = 2
Threads: ffffe78f5c279040-01<*>
1 total locks

PNP_TRIAGE:
Lock address : 0xfffff803cd58a6a0
Thread Count : 1
Thread address: 0xffffe78f5c279040
Thread wait : 0x1962

LAST_CONTROL_TRANSFER: from fffff803ccb700e2 to fffff803ccab8af0

STACK_TEXT:
ffffd88d99f00738 fffff803ccb700e2 : ffffd88d99f007b8 0000000000000101 0000000000000100 fffff803ccc92a01 : nt!DbgBreakPointWithStatus
ffffd88d99f00740 fffff803ccb6f60c : 0000000000000003 ffffd88d99f008a0 fffff803ccc92b40 000000000000013a : nt!KiBugCheckDebugBreak+0x12
ffffd88d99f007a0 fffff803ccab7de7 : 0000000000000001 0000000000000003 0000000000000000 00000000ffff8000 : nt!KeBugCheck2+0xb2c
ffffd88d99f00f30 fffff803ccbb1f58 : 000000000000013a 0000000000000017 ffffe78f5a100380 ffffe78f5c032160 : nt!KeBugCheckEx+0x107
ffffd88d99f00f70 fffff803ccbb1fb8 : 0000000000000017 0000000000000001 ffffe78f5a100380 ffffd88d99f00fc8 : nt!RtlpHeapHandleError+0x40
ffffd88d99f00fb0 fffff803cc899b11 : ffffe78f5c032000 ffffe78f5a100380 ffffe78f5cb53120 0000000000000000 : nt!RtlpHpHeapHandleError+0x58
ffffd88d99f00fe0 fffff803cc89b681 : 0000000000000180 ffffe78f5cb53120 0000000000000000 0000000000000000 : nt!RtlpLogHeapFailure+0x45
ffffd88d99f01010 fffff803cc990939 : ffffe78f5c032000 0000000000000013 ffffe78f5a100380 fffff803cc82db79 : nt!RtlpHpLfhReportError+0x21
ffffd88d99f01050 fffff803cc99027b : ffffe78f5c032000 0000000000000110 00000000000e0001 000ffffe78f5c032 : nt!RtlpHpLfhSubsegmentDelayFreeListProcess+0x255
ffffd88d99f010d0 fffff803cc80ab34 : ffffe78f5c032000 00000000000e0001 ffffe78f5a100380 0000000000000000 : nt!RtlpHpLfhOwnerGetSubsegment+0x93
ffffd88d99f01120 fffff803cc80a2b6 : ffffe78f5cb56c00 ffffe78f5a100440 0000000000000110 ffffbc8300000000 : nt!RtlpHpLfhSlotAllocateSlow+0x1bc
ffffd88d99f011d0 fffff803cc808a0a : ffffe78f5a100000 0000000000000000 ffffd88d99f012f0 0000000000030017 : nt!RtlpHpAllocateHeap+0x2f6
ffffd88d99f01250 fffff803cc808492 : 0000000000000246 fffff803cc88797f 0000000023474d56 0000000000000000 : nt!ExAllocateHeapPool+0x50a
ffffd88d99f01380 fffff803cd134189 : 0000000000000042 ffffd88d99f017d0 0000000000000000 ffffd88d99f01478 : nt!ExpAllocatePoolWithTagFromNode+0x52
ffffd88d99f013c0 fffff803cd1340b7 : fffff803629a4b90 0000000000000200 0000000000000003 fffff8036299f980 : nt!ExAllocatePool2+0x99
ffffd88d99f01470 fffff8036299a25b : ffffe78f5ccbcc48 00000000c01c0018 ffffe78f5cb53120 00000000c0000000 : nt!ExAllocatePoolWithTag+0xa7
ffffd88d99f014b0 fffff803629b4623 : ffffbc8378a145f8 ffffbc8378a14638 ffffe78f5cc46010 0000000000000000 : Protector!TryNativePathToDosPath+0x16b [..\pathconversion.c @ 501]
ffffd88d99f01530 fffff8035e2c7831 : ffffe78f5ccbcc48 ffffd88d99f01780 ffffd88d99f01728 ffffe78f5ccbcb60 : Protector!PreCreate+0x243 [..\checkerfs.c @ 1322]
ffffd88d99f016d0 fffff8035e2c6ec1 : ffffd88d99f01950 0000000000000000 0000000000000000 0000000000000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x631
ffffd88d99f01860 fffff8035e327397 : ffffd88d99efd000 ffffd88d99f01990 ffffe78f5c226ee0 0000000000000000 : FLTMGR!FltpPassThroughInternal+0xf1
ffffd88d99f01910 fffff803cc94e4ae : ffffe78f5cb56c00 0000000000000000 0000000000000000 0000000000000000 : FLTMGR!FltpCreate+0x687
ffffd88d99f019c0 fffff803ccfc916a : fffff803ccfc7f04 ffffd88d99f01ca0 0000000000000000 fffff803cce729d4 : nt!IofCallDriver+0xbe
ffffd88d99f01a00 fffff803cce5696d : fffff803ccfc7f00 fffff803ccfc7f00 0000000000000000 ffffd88d99f01de8 : nt!IopParseDevice+0x126a
ffffd88d99f01ba0 fffff803cce547c1 : ffffe78f5cc56901 ffffd88d99f01de8 ffffe78f00000240 ffffe78f5a698200 : nt!ObpLookupObjectName+0xe8d
ffffd88d99f01d60 fffff803ccf5e282 : 0000000000000000 ffffe78f5a698200 0000000000000001 ffffd88d99f01ee0 : nt!ObOpenObjectByNameEx+0x201
ffffd88d99f01eb0 fffff803ccf5de68 : ffffd88d99f022b0 0000000000000020 ffffd88d99f022d0 ffffd88d99f02300 : nt!IopCreateFile+0x37a
ffffd88d99f01f90 fffff803ccc8c555 : ffffe78f5ccc6000 fffff803cc807d28 ffffd88d00000000 0000000000000000 : nt!NtOpenFile+0x58
ffffd88d99f02020 fffff803ccc7a9b0 : fffff803ccdc7157 000000005a100000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
ffffd88d99f02228 fffff803ccdc7157 : 000000005a100000 0000000000000000 0000000000000000 0000000000000040 : nt!KiServiceLinkage
ffffd88d99f02230 fffff803cd0721e3 : ffffe78f5ccc1de0 0000000000000000 0000000000000000 0000000000000000 : nt!MiCreateSectionForDriver+0x207
ffffd88d99f02380 fffff803ccfab955 : ffffd88d99f02468 ffffd88d99f02538 0000000000000000 0000000000000000 : nt!MiObtainSectionForDriver+0x11b
ffffd88d99f023f0 fffff803ccfaadee : ffffd88d99f02538 0000000000000000 0000000000000000 ffffe78f5c42bfd0 : nt!MmLoadSystemImageEx+0x10d
ffffd88d99f024d0 fffff803ccfaea1e : 0000000000000000 0000000000000000 0000000000000004 ffffd88d00000004 : nt!IopLoadDriver+0x262
ffffd88d99f026a0 fffff803ccfae612 : 0000000000000101 0000000000000000 ffffe78f5a703d70 ffffffff80000148 : nt!PipCallDriverAddDeviceQueryRoutine+0x29e
ffffd88d99f02730 fffff803cd093fda : 0000000000000000 ffffd88d99f02840 ffffd88d99f02ac0 fffff8030000001a : nt!PnpCallDriverQueryServiceHelper+0x102
ffffd88d99f027e0 fffff803ccf22430 : ffffe78f5a71a6f0 ffffe78f5a73ebc0 ffffe78f5a71a6f0 ffffd88d99f02a21 : nt!PipCallDriverAddDevice+0xa7a
ffffd88d99f029a0 fffff803cccf72d4 : ffffe78f5a71ab40 ffffe78f5cd51710 ffffd88d99f02ac0 fffff80300000000 : nt!PipProcessDevNodeTree+0x4f8
ffffd88d99f02a70 fffff803cccc0b4b : 0000000100000003 ffffe78f5cd51710 0000000000000000 0000000000000000 : nt!PiProcessStartSystemDevices+0x60
ffffd88d99f02ac0 fffff803cc917b02 : ffffe78f5c279040 ffffe78f5a769ca0 fffff803cca35f90 ffffe78f00000000 : nt!PnpDeviceActionWorker+0x28abbb
ffffd88d99f02b80 fffff803cca4fd8a : ffffe78f5c279040 ffffe78f5c279040 fffff803cc917950 ffffe78f5a769ca0 : nt!ExpWorkerThread+0x1b2
ffffd88d99f02d30 fffff803ccc7a024 : fffff8035a3e0180 ffffe78f5c279040 fffff803cca4fd30 0000000000000000 : nt!PspSystemThreadStartup+0x5a
ffffd88d99f02d80 0000000000000000 : ffffd88d99f03000 ffffd88d99efd000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x34

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !FLTMGR
fffff8035e2c1110-fffff8035e2c1111 2 bytes - FLTMGR!FltpFreeStaticIrpCtrl+100
[ 48 ff:4c 8b ]
fffff8035e2c1117-fffff8035e2c111b 5 bytes - FLTMGR!FltpFreeStaticIrpCtrl+107 (+0x07)
[...]
fffff8035e30e977-fffff8035e30e978 2 bytes - FLTMGR!FltpCleanupBackPocketIrpCtrls+5f (+0x2d)
[ 48 ff:4c 8b ]
fffff8035e30e97e-fffff8035e30e982 5 bytes - FLTMGR!FltpCleanupBackPocketIrpCtrls+66 (+0x07)
[ 0f 1f 44 00 00:e8 3d 63 e2 6e ]
fffff8035e30e9d7 - FLTMGR!FltpInitializeBackPocketIrpCtrls+2b (+0x59)
[ 6a:6e ]
WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view entire output.
16389 errors : !FLTMGR (fffff8035e2c1110-fffff8035e32f960)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE

TARGET_TIME: 2025-03-05T11:01:05.000Z

OSBUILD: 26100

OSSERVICEPACK: 3323

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 1979-08-12 11:27:19

BUILDDATESTAMP_STR: 160101.0800

BUILDLAB_STR: WinBuild

BUILDOSVER_STR: 10.0.26100.3323

ANALYSIS_SESSION_ELAPSED_TIME: 3797

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:memory_corruption_large

FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

Followup: memory_corruption

These are among the more difficult problems to diagnose, because it's possible the damage occured some time ago. Did you dump the memory around the corruption lo see if it looked familiar?

In most cases, this is caused by overrunning a buffer. I see you're doing path manipulation here; it could be something as simple as forgetting to allocate space for a 0 terminator, or forgetting whether the string was supposed to be zero terminated or not.

Thank you for your response Tim, it did in fact point me towards the right direction.
The problem was indeed a buffer overflow caused by the incorrect offset of a field from an undocumented Windows structure (_FLT_VOLUME) which happened to change in this last version of Windows 11.