This looks like a stale Jetpack autoloader/classmap reference to a file removed or renamed in WooCommerce 10.9.1. Since the site works after the update, clearing any persistent object cache/opcache and checking for an incomplete plugin file sync may help isolate why update.php is still requesting the old class path.
Since the duplicates are confirmed at the mail-log level with other plugins removed, this looks like the password-change notification may be firing twice in the reset-password flow. A hook trace around wp_password_change_notification() and the related WooCommerce account actions would help confirm whether core is triggering two separate sends.
The stack trace should help identify whether this is coming from WooCommerce Admin itself or a plugin/theme conflict. It may be worth testing with non-WooCommerce plugins temporarily disabled and confirming that WooCommerce, WordPress, and PHP versions are fully compatible.