The 2011 Pwnie Nominee For Best Server-Side Bug

BSD-derived IPComp encapsulation stack overflow (CVE-2011-1547)

Credit: Tavis Ormandy

Most BSD-derived network stacks contain a vulnerability in the code processing IPComp encapsulation, commonly used alongside IPSec. By recursively trying to de-encapsulate a nested IPComp payload, an attacker can cause a kernel stack overflow (not a buffer overflow). Tavis speculates that it’s not that impossible to turn this into a remote code execution exploit.