You can read the Advisory [securityfocus.com] from Bugtraq, which explains it pretty well. Sample, or proof of concept, code has shown up there as well. The advisory states that this is actively being exploited at this time.
'course Bugtraq is currently chock full of SSH3 discussions at the moment, too. :)