Marking RHEL8 and RHEL9 as delegated as the code is present, however upstream seems to not recognize this as a vulnerability although it has a CVE ID assigned. Also it seems there's no fix present in upstream as the pull request seems to be open and in draft state yet.