The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel before 2.6.39, when a certain UDP Fragmentation Offload (UFO) configuration is enabled, allows remote attackers to cause a denial of service (system crash) by sending fragmented IPv6 UDP packets to a bridge device.
https://github.com/torvalds/linux/commit/a9cf73ea7ff78f52662c8658d93c226effbbedde
https://bugzilla.redhat.com/show_bug.cgi?id=755584
http://www.securityfocus.com/bid/50751