I mean the one bug with the 9.8 CVSS was a denial of service when calling sort(1). That sounds like CVE grade inflation tbh – if you have attackers running sort on your machine they can probably run worse exploits.