The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The "fix" simply changed the pointers to offsets, which still allows control of the args to the memcpy.
- Maddie Stone (@maddiestone) December 23, 2020
According to what has now been explained by the researcher Maddie Stone (of Google Project zero), in fact, CVE-2020-0986 is now outdated by virtue of the fact that the same vulnerability can be attacked with a different method. In short, a wound reopened, demonstrating that the May correction was more a simple patch than a real solution.
90 days after the report to Microsoft, no corrections have been released and for this reason Google has now made explicit the terms of the ongoing danger. There will be no other Microsoft patches before the beginning of January, so the vulnerability is destined to remain open until then: in all likelihood, in light of the seriousness of the bug and the fact that it was already known to the Redmond team, the update will still be regularly included in the next monthly update cycle.
Source: Bleeping Computer