System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.
The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.