If expanding a \u (or \U) escape sequence fails, Bash replaces the
input escape sequence with a newly generated one:
$ LC_ALL=C printf %b \\U80
\u0080
Since this new sequence may by longer than the input, it can cause an
overflow in printf:
$ bash-asan -c 'LC_ALL=C printf %b \\U80'
ERROR: AddressSanitizer: heap-buffer-overflow ...
WRITE of size 1 at 0x0001062028f5 thread T0
#0 0x1031bed94 in bexpand printf.def:1180
#1 0x1031ad19c in printf_builtin printf.def:610
TBH I found this fallback behavior kind of surprising and was
expecting the escape sequence to expand to either a null string or to
itself (though some tools assume __STDC_ISO_10646__ behavior even
without checking and expand to what may (or may not) be the correct
codepoint).
