OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.
https://www.debian.org/security/2023/dsa-5547
https://lists.debian.org/debian-lts-announce/2023/10/msg00048.html
https://github.com/openpmix/openpmix/releases/tag/v5.0.1