I am uncertain how any miner would have been able to spread counterfeit coins effectively, since the other aspect of the bug was to cause nodes to crash.
Did you read the
full disclosure? 0.14.x would always crash, but 0.15.0-0.16.2 could in some circumstances
not crash, accepting the creation of counterfeit BTC as if it were normal.
I think that I am misunderstanding what exactly this means.
However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion.
Are they talking about the double spend input, that uses a previously created UTXO? Or are the talking about the newly created UTXO that had two double spend inputs and now has a block built on top of it?
Edit: I understand this better now. This answer on slack helped clear things up for me.
https://bitcoin.stackexchange.com/questions/79481/how-does-the-most-recently-found-critical-vulnerability-cve-2018-17144-work