IPv6 Bug in Linux Kernel
IPv6 is a complex protocol including lots of mechanisms to provide autoconfiguration for IP addresses and many other things. Thus it is clear that in the implementation of it there is also the possibility of failures.
During the research on IPv6 security S21sec has spotted a kernel bug which is exploitable in a way, that if an attacker sends a malformed IPv6 jumbo packet a remote machine will crash.
The reason is that if the kernel receives a malformed IPv6 jumbo packet – he will drop the packet and try to write some statistics. In the affected kernel versions it is not assured that the structure which provides the information is correctly initialized – resulting in a kernel crash.
Jumbo packets in IPv6 need the Hop-By-Hop option which means that the headers are processed by all nodes between the source and destination host. Since unaffected kernel versions will just skip the packet without crashing it works only if the vulnerable host is the next hop. This behavior is only tested using Linux nodes for routing.
Here is the Ubuntu advisory about the same Bug: