untrusted comment: verify with openbsd-67-base.pub
RWRmkIA877Io3pCN2x+MMOll88OT8lX5X9wkslRYVAsjsDO/WITO5PiLI1Q3v2YqYqvXQiOaWGJF4P0fnkPvl1fwz/YC7W4eRgU=

OpenBSD 6.7 errata 026, October 29, 2020:

When generating the ICMP6 response to an IPv6 packet, the kernel
could use mbuf memory after freeing it.

Apply by doing:
    signify -Vep /etc/signify/openbsd-67-base.pub -x 026_icmp6.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
    KK=`sysctl -n kern.osversion | cut -d# -f1`
    cd /usr/src/sys/arch/`machine`/compile/$KK
    make obj
    make config
    make
    make install

Index: sys/netinet/icmp6.h
===================================================================
RCS file: /cvs/src/sys/netinet/icmp6.h,v
retrieving revision 1.48
diff -u -p -r1.48 icmp6.h
--- sys/netinet/icmp6.h	25 Dec 2018 19:28:25 -0000	1.48
+++ sys/netinet/icmp6.h	27 Oct 2020 17:40:55 -0000
@@ -616,7 +616,7 @@ struct mbuf	*icmp6_do_error(struct mbuf 
 void		 icmp6_error(struct mbuf *, int, int, int);
 int		 icmp6_input(struct mbuf **, int *, int, int);
 void		 icmp6_fasttimo(void);
-int		 icmp6_reflect(struct mbuf *, size_t, struct sockaddr *);
+int		 icmp6_reflect(struct mbuf **, size_t, struct sockaddr *);
 void		 icmp6_prepare(struct mbuf *);
 void		 icmp6_redirect_input(struct mbuf *, int);
 void		 icmp6_redirect_output(struct mbuf *, struct rtentry *);
Index: sys/netinet6/icmp6.c
===================================================================
RCS file: /cvs/src/sys/netinet6/icmp6.c,v
retrieving revision 1.230
diff -u -p -r1.230 icmp6.c
--- sys/netinet6/icmp6.c	29 Nov 2019 16:41:01 -0000	1.230
+++ sys/netinet6/icmp6.c	27 Oct 2020 17:40:55 -0000
@@ -379,7 +379,7 @@ icmp6_error(struct mbuf *m, int type, in
 	n = icmp6_do_error(m, type, code, param);
 	if (n != NULL) {
 		/* header order: IPv6 - ICMPv6 */
-		if (!icmp6_reflect(n, sizeof(struct ip6_hdr), NULL))
+		if (!icmp6_reflect(&n, sizeof(struct ip6_hdr), NULL))
 			ip6_send(n);
 	}
 }                                                                    
@@ -609,7 +609,7 @@ icmp6_input(struct mbuf **mp, int *offp,
 			nicmp6->icmp6_code = 0;
 			icmp6stat_inc(icp6s_reflect);
 			icmp6stat_inc(icp6s_outhist + ICMP6_ECHO_REPLY);
-			if (!icmp6_reflect(n, noff, NULL))
+			if (!icmp6_reflect(&n, noff, NULL))
 				ip6_send(n);
 		}
 		if (!m)
@@ -1044,8 +1044,9 @@ icmp6_mtudisc_update(struct ip6ctlparam 
  * OFF points to the icmp6 header, counted from the top of the mbuf.
  */
 int
-icmp6_reflect(struct mbuf *m, size_t off, struct sockaddr *sa)
+icmp6_reflect(struct mbuf **mp, size_t off, struct sockaddr *sa)
 {
+	struct mbuf *m = *mp;
 	struct rtentry *rt = NULL;
 	struct ip6_hdr *ip6;
 	struct icmp6_hdr *icmp6;
@@ -1065,7 +1066,7 @@ icmp6_reflect(struct mbuf *m, size_t off
 	}
 
 	if (m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) {
-		m_freem(m);
+		m_freemp(mp);
 		return (ELOOP);
 	}
 	rtableid = m->m_pkthdr.ph_rtableid;
@@ -1085,7 +1086,7 @@ icmp6_reflect(struct mbuf *m, size_t off
 		m_adj(m, l);
 		l = sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr);
 		if (m->m_len < l) {
-			if ((m = m_pullup(m, l)) == NULL)
+			if ((m = *mp = m_pullup(m, l)) == NULL)
 				return (EMSGSIZE);
 		}
 		memcpy(mtod(m, caddr_t), &nip6, sizeof(nip6));
@@ -1093,7 +1094,7 @@ icmp6_reflect(struct mbuf *m, size_t off
 		size_t l;
 		l = sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr);
 		if (m->m_len < l) {
-			if ((m = m_pullup(m, l)) == NULL)
+			if ((m = *mp = m_pullup(m, l)) == NULL)
 				return (EMSGSIZE);
 		}
 	}
@@ -1189,7 +1190,7 @@ icmp6_reflect(struct mbuf *m, size_t off
 	return (0);
 
  bad:
-	m_freem(m);
+	m_freemp(mp);
 	return (EHOSTUNREACH);
 }