Caching a reference to document.getElementById from an IFrame, reloading the IFrame, and then calling .constructor() on the cached method caused a PROBABLY_EXPLOITABLE crash. The method reference remained valid across the reload, but its internal context had been torn down.

ref_getElementById = iFrame.document.getElementById;
iFrame.location.reload();
ref_getElementById.constructor(); // Crash — PROBABLY_EXPLOITABLE

After the reload, the method object’s backing script context was invalidated. Calling .constructor() on a native method wrapper traversed internal pointers to reach the Function constructor, and those pointers now pointed into freed memory. The PROBABLY_EXPLOITABLE rating reflected that the faulting address was used to control code flow.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.