This CVE is the result of a patch bypass for CVE-2020-0986, reported to Microsoft by Kaspersky in December 2019 and patched in June 2020. Google Project Zero researcher Maddie Stone notified Microsoft on September 24, 2020 that the fix for Kaspersky's reported vulnerability was incomplete. CVE-2020-17008 was [published on December 23, 2020](https://bugs.chromium.org/p/project-zero/issues/detail?id=2096) as part of Google's 90-day disclosure deadline. Notably, CVE-2020-0986 was exploited in the wild as part of [Operation PowerFall](https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/). Stone's tweet thread on the incomplete patch [is here](https://twitter.com/maddiestone/status/1341781307508969473).