It was reported that polkit has a bug, that leads to a minor denial of service, or code execution/privilege escalation.
The only privilege necessary is ability to send D-Bus messages, not even necessarily directly to polkitd (usually privileged services ask polkitd for authorization based of a client request: client<->D-Bus<->service<->D-Bus<->polkitd); the attacker does not need special polkit status.
This bug allows a local user (a person on a multi-user system, or a daemon account after successfully attacking a daemon over the network) to corrupt memory of polkitd.
Corrupting polkitd memory can lead to a crash (known to happen), which is a minor DoS: a specific request being handled during the crash will not get a reply, but polkitd will then be automatically started when next polkit request arrives.
In general corrupting memory can lead to arbitrary code execution as polkitd (no proof of concept exists but I can see no reason for this to be impossible), controlling polkitd allows the attacker to grant to anyone access to any polkit-controlled service, including the ability to run any command as root via pkexec.

Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=910262
The patches are attached.