Dangling pointer vulnerability in nsTreeContentView — Mozilla

Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative an error in the way elements are inserted into a XUL tree . In certain cases, the number of references to an element is under-counted so that when the element is deleted, a live pointer to its old location is kept around and may later be used. An attacker could potentially use these conditions to run arbitrary code on a victim’s computer.