Here is a new patch giving more details in the doc, and explicitly mentioning the CVE entry.
