[oblong]

> This UB was leading to disclosure of little bits of kernel memory back into user mode because Windows engineers assumed that = { 0 } was the same as leaving the variable uninitialized and then memsetting the whole thing to zero

But what on earth were they doing with the padding bits?

[Gibbon1]

They aren't doing anything with the padding bytes. But what probably happened was they copied the array into userland memory. Which potentially allows a malicious sandboxed program to read the padding bytes that contain bits of kernal memory.

[kabdib]

Total guess, but they could have been including them in a hash function or struct equality check (equality with memcmp, hash by just grabbing bytes, etc.).

That would not have gone well with uninitialized padding :-)

[buckminster]

It's not uncommon for a function to use a supplied output buffer as scratch space. So the padding could have contained pretty much anything.