It's probably something that's unexploitable in practice or rarely enabled by default or both if the developers aren't too bothered about fixing it. Sounds like yet another vulnerability that's more hype than anything serious.
Agreed - the only RCE vulnerabilities that would IMHO qualify to "All GNU/Linux systems" would be in Linux kernel networking stack and maybe in openssh.
But the "(+ others)" seems to imply it's not Linux kernel.
And OpenSSH is maintained by OpenBSD folks, who take security extremely seriously. I cannot imagine them taking 3+ weeks and not having security fix, nor arguing whether "Unauthenticated RCE" has a security impact.
So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.
But the "(+ others)" seems to imply it's not Linux kernel.
And OpenSSH is maintained by OpenBSD folks, who take security extremely seriously. I cannot imagine them taking 3+ weeks and not having security fix, nor arguing whether "Unauthenticated RCE" has a security impact.
So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.