Signature malleability occurs when there are multiple valid signatures for the same data and public key.
ecrecover allows for malleable signatures.
(r,s',v) from two "Y" points for a given "X" on the elliptic curve.
ecrecover is used throughout the codebase. No meaningful exploits were found as a result of signature malleability.
Even so, consider using Open Zeppelin's ECDSA library to recover signature public keys, as they have an explicit check which prevents malleability.