FreeBSD Security Advisory - In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero. An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked. An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to "become root"), to escape from a jail, or to bypass security mechanisms in other ways.
bfe3f8cd4f9f141932f321714dc7fd3f873020d7be4c70aea61d5dfc7f2b2af7