systemd-logind, part of the systemd package, keeps track of user logins and sessions. Upon login it creates dedicated files inside the /run/user/ directory in an insecure manner. This allows local attackers to create symlinks inside arbitrary directories. Further exploitation steps allow local attackers to gain root access.
There is no easy workaround, please install the update packages.