The kernel in Apple iOS before 5.0.1 does not ensure the validity of flag combinations for an mmap system call, which allows local users to execute arbitrary unsigned code via a crafted app.
http://www.securitytracker.com/id?1026287
http://support.apple.com/kb/HT5052
http://lists.apple.com/archives/Security-announce/2011/Nov/msg00001.html