Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.5
lwn.net/Alerts/180820/
secunia.com/advisories/19639
secunia.com/advisories/19735
secunia.com/advisories/20157
secunia.com/advisories/20237
secunia.com/advisories/20398
secunia.com/advisories/20716
secunia.com/advisories/20914
secunia.com/advisories/21136
secunia.com/advisories/21179
secunia.com/advisories/21498
secunia.com/advisories/21745
secunia.com/advisories/21983
support.avaya.com/elmodocs2/security/ASA-2006-161.htm
support.avaya.com/elmodocs2/security/ASA-2006-180.htm
www.debian.org/security/2006/dsa-1103
www.mandriva.com/security/advisories?name=MDKSA-2006:086
www.mandriva.com/security/advisories?name=MDKSA-2006:150
www.novell.com/linux/security/advisories/2006-05-31.html
www.novell.com/linux/security/advisories/2006_42_kernel.html
www.novell.com/linux/security/advisories/2006_47_kernel.html
www.osvdb.org/24639
www.redhat.com/support/errata/RHSA-2006-0437.html
www.redhat.com/support/errata/RHSA-2006-0493.html
www.securityfocus.com/bid/17541
www.ubuntu.com/usn/usn-302-1
www.vupen.com/english/advisories/2006/1390
www.vupen.com/english/advisories/2006/1475
www.vupen.com/english/advisories/2006/2554
exchange.xforce.ibmcloud.com/vulnerabilities/25869
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9732