The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys.
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10615
http://www.securityfocus.com/bid/15122
http://www.mandriva.com/security/advisories?name=MDKSA-2005:235
http://www.mandriva.com/security/advisories?name=MDKSA-2005:220
http://www.mandriva.com/security/advisories?name=MDKSA-2005:219
http://www.mandriva.com/security/advisories?name=MDKSA-2005:218
http://www.debian.org/security/2006/dsa-1018
http://www.debian.org/security/2006/dsa-1017
http://secunia.com/advisories/19374
http://secunia.com/advisories/19369
http://secunia.com/advisories/19185
http://secunia.com/advisories/18203
http://secunia.com/advisories/17995
http://secunia.com/advisories/17826