This exception isn't even a buffer overflow, it's just some data used in the save, so it shouldn't allow to do any unsecure thing
I checked all routines called after this bug where we have some control, but none allows to overflow $ra nor have any jalr to a controlled register nor inject any jump manually using a fully controlled sw
To me it's just not exploitable <_<'