Posted at LWN.net: "The 'at' command reads commands from standard input for execution at a
later time specified on the command line. If such an execution time is
given in a carefully drafted (but wrong) format, the at command may
crash as a result of a surplus call to free(). The cause of the crash
is a heap corruption that is exploitable under certain circumstances
since the /usr/bin/at command is installed setuid root.
A temporary workaround against the bug is to disable the at command for
non-root users by removing the setuid-bit from the /usr/bin/at command."