The ip6_check_rh0hdr function in netinet6/ip6_input.c in OpenBSD 4.2 allows attackers to cause a denial of service (panic) via malformed IPv6 routing headers.
http://www.vupen.com/english/advisories/2008/0660
http://www.securitytracker.com/id?1019496
http://www.securityfocus.com/bid/27965