The flaw was found in the fsck_msdos system tool, which automatically checks FAT devices like USB flash drives and SD memory cards for FAT filesystem formatting errors:
The vulnerability allows arbitrary code to be executed with system-level privileges, which potentially lets a malicious device (such as the mentioned flash disks or SD cards) take over the entire system when the said device is inserted into the vulnerable system. We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle.Trend Micro reports the same tool is also used by other BSD-based operating systems, including Android. However, Google claims Android is not vulnerable to this attack because it runs fsck_msdos under a very restricted SELinux domain.