The ktimer feature (sys/kern/kern_time.c) in FreeBSD 7.0, 7.1, and 7.2 allows local users to overwrite arbitrary kernel memory via an out-of-bounds timer value.
https://www.exploit-db.com/exploits/8261
https://exchange.xforce.ibmcloud.com/vulnerabilities/49362