net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.
http://rhn.redhat.com/errata/RHSA-2012-1064.html
http://rhn.redhat.com/errata/RHSA-2012-1148.html
https://bugzilla.redhat.com/show_bug.cgi?id=833402
http://secunia.com/advisories/49928
https://github.com/torvalds/linux/commit/9e2dcf72023d1447f09c47d77c99b0c49659e5ce