A race condition within the "scan_get_next_rmap_item()" function in mm/ksm.c and can be exploited to cause a kernel crash. The vulnerabilities are reported in version 2.6.39.1 Fixed in version version 2.6.39.3 and 2.6.35.14 Original Advisory: https://lkml.org/lkml/2011/6/1/742 This may be old, but wanted to update for tracking purposes if nothing else.
There are no longer any 2.x kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.