Part of sockets implementation in the Linux kernel is a structure called proto_ops which holds pointers (i.e. memeory address of) functions (code). If a socket type has some operation that isn’t defined (not-implemented, not-supported) then the corresponding pointer in proto_ops should pont to a stub. It tures out that some times these pointers are left set to NULL (zero) instead of the stubs. So now if an attacker can get some code into address 0 and trick the kernel into calling one of the NULL pointers,he/she has got code running at the kernel level.
A patch has been submitted to fix this issue.