Debian tmpreaper is vulnerable to privilege escalation. A race condition when doing a (bind) mount via rename() occurs when mounting via rename(). A file would potentially be placed elsewhere on the filesystem hierarchy if the directory being cleaned up was on the same physical filesystem. This allows an attacker to obtain higher privileges on the system.