A local low privileged attacker can use an untrusted search path in a CHARX system utility to gain root privileges.