libc does not account for all the possible return values from the kernel getcwd syscall; arbitrary code execution may result from applications making further assumptions on the return value from the getcwd libary function.