Building on the blob-redirect technique, I found that using an invalid content type string (like "INVALID") when creating the blob caused a crash rated PROBABLY_EXPLOITABLE when the server redirected to that blob URL. The fault occurred in urlmon!CTransaction::OnINetCallback via a null write in ntdll!RtlpWaitOnCriticalSection. Credits for the blob research direction go to Gareth Heyes and Mario Heiderich.
var bb = new MSBlobBuilder();
bb.append('Check out the address bar!<br /><br />I am HTML content rendered from a Blob!');
var blob = bb.getBlob("INVALID"); // This is key to the crash.
var blobUrl = window.URL.createObjectURL(blob);
location.href = "redirect.aspx?URL=" + blobUrl; // Crash!The blob was created with "INVALID" as the MIME type, which produced a malformed blob URL. When urlmon processed the redirect to this URL, a null class pointer dereference occurred in CTransaction::OnINetCallback while waiting on a critical section. The write AV at address 0x00000014 was rated PROBABLY_EXPLOITABLE as a near-null pointer write.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.