We currently have "Log out after password change" (passwordchangelogout), we should also introduce a similar setup for changes to email address.
The default value should match passwordchangelogout. One of my suggestions on MDL-58353 is that perhaps we should make this enabled by default, as these are well known best practice measures. Mentioning here, as it may be worth modifying that default here and closing both issues off together.
This is a best practice measure, thus a security benefit and not categorised as a vulnerability.