The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys.
bugs.debian.org/cgi-bin/bugreport.cgi?bug=334113
rhn.redhat.com/errata/RHBA-2007-0304.html
secunia.com/advisories/17226
secunia.com/advisories/17826
secunia.com/advisories/17995
secunia.com/advisories/18203
secunia.com/advisories/19185
secunia.com/advisories/19369
secunia.com/advisories/19374
www.debian.org/security/2006/dsa-1017
www.debian.org/security/2006/dsa-1018
www.mandriva.com/security/advisories?name=MDKSA-2005:218
www.mandriva.com/security/advisories?name=MDKSA-2005:219
www.mandriva.com/security/advisories?name=MDKSA-2005:220
www.mandriva.com/security/advisories?name=MDKSA-2005:235
www.securityfocus.com/bid/15122
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10615
usn.ubuntu.com/231-1/