From the MSDN format type page:
Security Note The
%n
format is inherently insecure and is disabled by default; if%n
is encountered in a format string, the invalid parameter handler is invoked as described in Parameter Validation. To enable%n
support, see_set_printf_count_output
.