Regression in signal handler.
This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges.
Oh, I can’t find any examples. What are you searching for?
The closest I can find is an old hlsl offhand comment showing the syntax in isolation, but no example.
https://stackoverflow.com/a/29689866