The software does not drop privileges before passing control of a resource to an actor that does not have those privileges.