I saw a post on the bugtraq mailing list that details an exploit to cause an ORA-600 using an ALTER SESSION SET EVENTS command. The hack is detailed in a post titled "Oracle 10g R2 and, probably, all previous versions
". The poster shows an ALTER SESSION SET EVENTS command with a very long event string that causes an ORA-600. He says that this is not a crash and indeed its not really an exploit but he hints that its possible to create an integer overflow with other "combinations". I guess he means that a different length string will cause an overflow? - There is a reply to the post
where a poster found that he could not replicate the bug but that is because the original poster replies on having the ALTER SESSION privilege.