FreeBSD Security Advisory – In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero. An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked. An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to “become root”), to escape from a jail, or to bypass security mechanisms in other ways.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/75989/FreeBSD-SA-09-06.ktimer.txt
Source: https://packetstormsecurity.com/files/75989/FreeBSD-Security-Advisory-ktimer.html