The vulnerability allows even restricted users and apps to gain full root access.
“For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.”
Read the full article off-site here
The flaw introduced in version 3.8 of the Linux kernel resides in the OS keyring which allows apps to store sensitive security data in the kernel such as authentication tokens and encryption keys.
In theory, it should be impossible for other apps to access the data, but by using an exploit it is possible to replace a keyring object stored in memory with code that is executed by the kernel.
Android Devices running a version prior to v5.0 may be vulnerable too while Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code… for now.
It all goes to show that no OS is secure.