On bsonelement.h an unsafe cast is being done that could end up in a situation where NaN (which representation according to the EcmaScript specification is 9007199254740990) is being casted to an integer, the following example can cause such situation:

let st = new ShardingTest({mongos:1, shards:1});

st.s.adminCommand({enableSharding: 'db'});

st.s.adminCommand({shardCollection: 'db.test', key: { _id: NaN }});

Here when passing the index we end up trying to get the number which does the cast. This causes failures on the fuzzer tests as can be seeing in the linked BF.