The cases I've seen are with buffer overflows in game saves, but this usually only gets you access to userland. An exploit in kernel space is usually harder to come across.

Actually that's not true. Kernels aren't infallible and while there's the 'many eyes' aspect of Open Source kernels, Linux is huge, so tracking stuff down often crosses multiple files, sometimes unrelated.

I went to a really excellent talk at the last DC4420 (http://www.dc4420.org/) on 0day in the Linux Kernel. The example provided was a double free bug that was really just a basic schoolboy error. A brief look through the source code tree found about 4 or 5 other examples in less than half an hour. Now I can write fairly obvious buffer overflow exploits, but I'm not exactly a ninja in this space by a long stretch. However, there are 253 advisories for 2.6 according to Secunia, and it's not over yet: http://secunia.com/advisories/product/2719/?task=advisories

AFAIK the 2.6 Linux kernel hasn't been fully audited for bugs, it isn't audited (at least AFAICR the Linux Kernel Auditing Project only looked at 2.2 and 2.4).

Slide 31 gives an overview of how kernel pointer overwrite bugs can be exploited here: http://jon.oberheide.org/files/source10-linuxkernel-jonoberh... - It's a fairly good slide deck in general but for the straight dope you're probably better looking through Phrack (here's a good article http://www.phrack.org/issues.html?issue=64&id=6#article).

Well so far there have only been two systems that made any effort to keep them separate, so that is true. But it's still the same base exploit.