This CVE is exploitable and trivially easy to fix. I would strongly urge the VyOS project to do a security release NOW.
It's a one-line fix, available in Quagga's GIT: https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
The line offset is wrong, but it applies cleanly.
The problem is that RA packets are received into a buffer that is not nearly large enough.