I'm a libbson maintainer, and I believe this is only a minor bug, not a grave vulnerability.
The bug is triggered when libbson reads BSON data corrupted in a specific manner. The faulty logic will read up to 4 bytes past the end of a buffer. This is not a grave vulnerability for two reasons. First, applications use libbson to read BSON data from trusted sources, either a MongoDB server or the local file system, not from untrusted sources. We do not consider a MongoDB server or a filesystem under malicious control to be an attack vector that we can secure libbson against. Second, when libbson reads past the end of the buffer, it does nothing with the data it read: it considers it part of an unstructured binary blob. It does no further parsing of the data and does not use that data in any conditional statements or use it as a pointer, so it does not provide a mechanism for remote code execution or any other type of attack.
