rhel – Is it really true that no RedHat fix exists for this Critical 3-month old glib issue?

Short version

Red Hat Customer Portal lists CVE-2021-27219 as having a 9.8 out of 10 RedHat CVSS score, that it was published February 4, 2021, more than 3 months ago and that it affects RHEL 8, the newest version.

Is there really no fix for it out yet?

Longer version

If I read the above link correctly, the issue affects RHEL 6, 7 and 8 but no fix exists yet. (As opposed to e.g. CVE-2021-3326 where a fix was released yesterday).

At the same time, Red Hat’s ubi8/ubi-minimal docker image, updated today shows:

Health Index “A”(green) (This image does not have any unapplied Critical or Important security updates.)

When I upload that image to our Harbor Registry, it scans the image and lists it as having CVE-2021-27219 unfixed. Digging into RedHat’s own data, it looks like I have to agree with Harbor.

But then I find it highly misleading for RedHat to list the image as having: Health Index “A”. Sure there is no unapplied fix, because the fix doesn’t exist yet, but how can an image be healthy with a 9.8 score unfixed security issue for 3 months?

What am I misunderstanding?

(Also, how can there not be a tag for RedHat or RPM?)