Comment 7 for bug 1798725

From what I understand,

1) autorun.inf files can be written to automatically execute a program. However, they still need to get user approval through a "Do you trust this program?" kind of message.
2) According to upstream comment, "By setting PCRE_NO_UTF8_CHECK you are guaranteeing that the string is a valid UTF-8 string. If you break your promise, anything might happen.". Some people have already exploited similar bugs to execute an arbitrary payload ( https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html ).

At worse, I think the bug could be exploited to create a malicious USB/SD Card/Filesystem image to execute arbitrary code without user approval when mounted. It could also be used to run code with gvfs privileges.
Not sure if that qualifies as a security issue. The bug does not happen when no user is authenticated (locked screen), so it cannot be used to bypass a login screen.