The new broker pallet, responsible for handling the Coretime procurement logic, had a vulnerability that allowed users to assign Coretime they no longer owned. This is, obviously, quite problematic.
The issue is described in more detail here: https://github.com/paritytech/polkadot-sdk/pull/2811
This is a small tip request for finding reporting and fixing the issue.