Privilege escalation with expand_stack().
vulners.com/securityvulns/securityvulns:doc:15690
vulners.com/securityvulns/securityvulns:doc:15773