While being bored and poking around various functions in Windows settings I saw that in the "Ease of Access" -> "Narrator" page a function to install a third-party braille software called brltty, including the brlapi. While this is in no way worthy a CVE or could even be called a real vulnerability, I just wanted to document it for the sake of documentation. ¯\_(ツ)_/¯
So after clicking the "Download and install braille" button(requires admin access), Windows installs brltty(and brlapi) to the directory C:\Windows\brltty. It furthermore installs the service "brlapi", which all members of the group INTERACTIVE can start and stop. The service runs as "NT Authority/Local Service".
When starting/restarting the service various files will be loaded, and like alot of other Linux-ported-to-Windows applications, the path loading order is pretty messed up. The service will try to read/create files/devices in c:\dev\null and c:\etc\xdg\brltty. If the c:\etc\xdg\brltty directory exists, the configuration file "brltty.conf" will be loaded. While the configuration files had a few interesting settings, none provided other (malicious)functionality other than creating a directory anywhere as "NT Authority\Local Service".
However further into the start process, the service will try to load the DLL-file "libusbK.DLL" from directories in the system environment paths.
If an low privileged user have access to any of these, a privileged escalation to "NT Authority\Local Service" would be possible.
Since this privileged escalation requires so many factors to align, it can't really be called a vulnerability.
Oh, and for some reason Windows by default installs brltty 5.5 while brltty 6.1 is currently the latest version.