Linux kernel 2.6.23 allows local users to create low pages in virtual userspace memory and bypass mmap_min_addr protection via a crafted executable file that calls the do_brk function.
http://www.vupen.com/english/advisories/2007/4200
http://www.securityfocus.com/bid/26831