HTML CANVAS elements can use scaled images as patterns. With suitable scaling manipulation of the image, a script can cause Opera to crash. This crash can sometimes cause memory corruption. To inject code, additional techniques will have to be employed.
Opera Software has released Opera 9.27 with a fix for this vulnerability.
Thanks to Michal Zalewski for reporting this issue to Opera Software.