Since Debian 9 "stretch", we've shipped a Linux kernel supporting the "enhanced BPF" feature which allows unprivileged user space to upload code into the kernel. This code is written in a restricted language, but one that's much richer than the older "classic" BPF. The kernel verifies that the code is safe (doesn't loop, only accesses memory it is supposed to, etc.) before running it. However, this means that bugs in the verifier could allow unsafe programs to compromise the kernel's security.

Unfortunately, Jann Horn and others recently found many such bugs in Linux 4.14, and some of them affect older versions too. As a mitigation, consider setting the sysctl kernel.unprivileged_bpf_disabled=1. Updated packages will be available shortly.

Update: There is a public exploit that uses several of these bugs to get root privileges. It doesn't work as-is on stretch with the Linux 4.9 kernel, but is easy to adapt. I recommend applying the above mitigation as soon as possible to all systems running Linux 4.4 or later.