I've seen many vulnerabilities reported that where the cause is not checking the result of setuid()

However, I have not been able to find a POC for this type of exploit.

Ideas I have for how an actual POC would work:
1. Remove the user from the system after calling the setuid binary
2. Overload the system, causing system calls to fail (setuid)
3. Something else?

Any ideas would be great, I'd love to fill this knowledge gap.

My research found the following answers:
1. Yes, removing the user from the system will work on SOME unix.
2. Very unlikely
3. Most common is in some Linux kernels versions and one Unix i know of you can set a user proc limit. The setuid() call will fail if the limit is already reached.