A coding error in the kernel side of Tux would (at most) allow a
malicious user to crash the kernel. I doubt there is even a remote
possibility to exploit a buffer overflow in kernel-level code (be it
Tux or something else).
A coding error in a custom Tux module would not allow an
attacker to take over the machine, crash Tux, or do other nasty
things.
