Credit: Nelson Elhage
Nelson Elhage found an interesting interaction between Linux threads created with the CLONE_CHILD_CLEARTID flag and the set_fs function in the kernel, which made fully exploitable bugs that would otherwise only cause a DoS. The public PoC for this vulnerability was later released by Dan Rosenberg.