Do not pass string literal or casted CString to COM function expecting BSTR parameter.
Vulnerability and risk
If a COM object requires a BSTR then you must pass a BSTR.
Mitigation and prevention
Consider creating a BSTR object prior to the function call and then passing it as the argument.
comMethod(L"const String"); comMethod((LPOLESTR)m_string);
Instances of a call of COM object method with both a string literal and also LPOLESTR cast CString argument.