I think the issue is well understood, just want to track the bug in bugzilla so it can be added to 12.0 release blockers.
See svn-src discussion around r337776.
*** Bug 231050 has been marked as a duplicate of this bug. ***
A commit references this bug: Author: kp Date: Fri Aug 31 08:37:15 UTC 2018 New revision: 338406 URL: https://svnweb.freebsd.org/changeset/base/338406 Log: frag6: Fix fragment reassembly r337776 started hashing the fragments into buckets for faster lookup. The hashkey is larger than intended. This results in random stack data being included in the hashed data, which in turn means that fragments of the same packet might end up in different buckets, causing the reassembly to fail. Set the correct size for hashkey. PR: 231045 Approved by: re (kib) MFC after: 3 days Changes: head/sys/netinet6/frag6.c
A commit references this bug: Author: kp Date: Mon Sep 3 08:57:09 UTC 2018 New revision: 338442 URL: https://svnweb.freebsd.org/changeset/base/338442 Log: MFC r338406: frag6: Fix fragment reassembly r337776 started hashing the fragments into buckets for faster lookup. The hashkey is larger than intended. This results in random stack data being included in the hashed data, which in turn means that fragments of the same packet might end up in different buckets, causing the reassembly to fail. Set the correct size for hashkey. PR: 231045 Changes: _U stable/11/ stable/11/sys/netinet6/frag6.c
EN/SA revision candidate. Reference: https://lists.freebsd.org/pipermail/freebsd-net/2018-September/051667.html
EN was published: https://www.freebsd.org/security/advisories/FreeBSD-EN-18:09.ip.asc
Fixed in 12, MFC'd, done?