In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when iterating over the next IPv6 options the kernel can free that mbuf, meaning the dereferences of 'finaldst' hit a freed buffer. Note that this is triggerable without specific conditions, over just ICMPv6. Maxime