Writing a <script language="xml"> tag into an IFrame’s document caused IE9 to crash with a PROBABLY_EXPLOITABLE rating. The XML script language type was an obscure IE-specific feature, and its interaction with the dynamic document.write path in an IFrame exposed an unguarded code path.

window[0].document.write('<script language="xml"><\/script>');
// Crash — PROBABLY_EXPLOITABLE

The XML script type triggered a different parsing and execution branch than the normal JavaScript path. When introduced via document.write into an IFrame (rather than being statically present in the markup), the parser entered a state that eventually dereferenced an invalid pointer. The PROBABLY_EXPLOITABLE classification was based on the faulting address being used to control branching.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.