U is fed machine T and input I. By only changing I you can force U to execute a different machine X.
The implications of this are well understood. You'd have similar vulnerabilities if you ran raw machine code on, say, an x86 processor. Enforcing checks and sanitization in such a way that the 'exploit' can't happen is the exact kind of job you'd have to do in order to write an operating system.
The CVE is a joke in the sense that you don’t really need a CVE for a universal Turing machine, as they are quite literally only academic.
paper is essentially saying that by using simplest machine possible
we prove it does not provide layers of security abstractions which were invented and deployed in last 40+ years to computers
so thats like getting CVE for turning off ASLR, AppARMOR SElinux etc in linux kernel.
Showing a universal Turing machine is a proof of the fact that when you write stuff like the smn theorem or anything that uses universal functions you aren't writing nonsense.
There is no "contract" between the universal machine and the hypothetical user. One could certainly ensure that, say, the input TM is properly formatted, or that "the runtime" will only use a certain set of cells, and so on. The difficulties and problems one would find in trying to do so are the same one would face when writing an operating system and a compiler.
Filtering only printable user input helps but even bit map images can expose a heap to a sensitive registers that will execute some target specific generated shell code.
