... unless they suffer from the same problem as Intel CPU's Meltdown fiasco. Where the branch prediction runs concurrently with the security checking. The branch predictor hits and speculates, firing the bug, while the security check then decides "that's an invalid branch" and discard it--but it's too late the bug side-effect his occurred.

But I think for it to happen randomly, you'd need an invalid pointer that just so happens to jump to what "becomes" an instruction with a bug, and a branch. That seems pretty rare on first glance.