A brief crash in IE11 triggered by calling window.URL.createObjectURL on an empty blob. The exploitability was classified UNKNOWN at the time.

function main() {
    var bb = new MSBlobBuilder();
    var blob = bb.getBlob("text/html");
    window.URL.createObjectURL(blob); // Crash
}

Tested on IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.