Appending a script element with innerText set to a value into a document created via document.implementation.createHTMLDocument("") caused a crash in MSHTML!CScriptCollection::GetHolderForLanguageHelper, rated UNKNOWN exploitability with a possible stack corruption note.

var doc = document.implementation.createHTMLDocument("");
var oScript = doc.createElement("script");
oScript.innerText = 1; // Something so the script tries to execute.
doc.body.appendChild(oScript); // Crash!

The null pointer dereference at [edi+0Ch] in GetHolderForLanguageHelper occurred because the document created by createHTMLDocument lacked a properly initialized script collection, and appending an executable script element attempted to look up a script engine holder that did not exist.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.