The integrity of a modern UNIX kernel -- and therefore all sorts of
security assumptions about the system -- depends on the isolation of
the kernel data from untrusted code. In other words, we trust the
system only inasmuch as we are believe that *only* kernel code can
access of modify kernel data. This isolation is enforced by the
MMU-based memory trapping system, which is expected to trap *any*
violating memory access.

So whenever a way to affect kernel data by executing code in userspace
is discovered (other than through a bona fide syscall on behalf of a process),
it immediately makes security headlines. 

An overview of kernel exploits (Core Security Technologies is a leading
security tools company, and one of the best in the exploit development field):

http://download.coresecurity.com/corporate/attachments/TheKernelCraze.pdf


Here is a recent example:

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://www.cr0.org/misc/CVE-2009-2692.txt
http://www.grsecurity.net/~spender/exploit.txt
http://downloads.securityfocus.com/vulnerabilities/exploits/36038-5.c

A famous older example (from the Polish group "Last Stage of Delirium"):

http://www.blackhat.com/presentations/bh-europe-01/LSD/bh-europe-01-lsd.ppt
http://www.milw0rm.com/exploits/5092

(local copies in the kernel-vulns/ directory)