The main function in android_main.cpp in thermald allows local users to write to arbitrary files via a symlink attack on /tmp/thermald.pid on systems that lack of symlink and hardlink protections in world-writable directories
Created thermald tracking bugs for this issue:
Affects: fedora-all [bug 1561686]
Affects: epel-7 [bug 1561685]
This CVE is specific to code that is only used on Android. In other cases the code in main.cpp is used which creates the PID file in /var/run/thermald, AFAICT there is no privilege escalation there as normal users are unable to write the location.