A little background, PaX and GrSecurity are each run by one developer, in reality. "The PaX Team" is made up of a single anonymous entity who took the initiative in 2000 to create what may very well be capable of stopping over half of security exploits before they occur. The same person has been maintaining PaX since its initial release in October, 2000, four and a half years ago.
The potential impact can't be measured yet. Brad Spengler isn't exactly clueless; however, there is stil the considerable loss of the PaX lead developer. Eric Steven Raymond made the accurate observation that creative minds are a valuable, limited resource and shouldn't be wasted. While handing off PaX is in itself not potentially disasterous, the permenant loss of a mind as creative as its original developer is mournful.
While specific details are yet unreleased, the PaX vulnerability is a bug in the VMA mirroring implemented in September, 2002 (there's a typo in the announcement that says 2003). This mirroring is used to allow random placement of fixed position code (RANDEXEC) and the second NX emulation method on x86 (SEGMEXEC). Implementations using the original and improved PAGEEXEC method without the affected methods compiled into the kernel are not vulnerable.
There have been new versions of PaX and GrSecurity released to cover the bug. There hasn't been a PaX release since 2.6.7; GrSecurity has been using experimental ports that only the inner circle surrounding the projects are privy to directly. At this time, the newly released patches are a required critical security update, and so official PaX patches have been released for Linux 2.6.11. Please upgrade to 2.6.11 with the new PaX or GrSecurity ASAP.