While I'd love to see an exploit from a purely academic perspective,
it doesn't appear that this is the type of bug where exploitation is
going to be reliable enough to support a worm. The reference counter
in question is most likely 32 bits, but even giving the benefit of the
doubt and saying it's a 16-bit refcount, that's still 2^16 events
(probably receiving a certain UDP packet) that need to be triggered
precisely in order to cause a refcount overflow and then trigger a
remote kernel use-after-free condition, which wouldn't be trivial to
exploit even by itself. On an unreliable network like the Internet,
it seems unlikely that the kind of traffic volume required to trigger
this bug could be generated without dropping a single packet.
Reliable DoS seems more likely though.