sorry for the link in german:
It seems that there is an RCE in server and client code:
"So it affects the server and client. Both eap_request() and eap_response() are vulnerable (and have the exact same bug). Further more, there is no check to see if you’ve actually configured eap and are using eap prior to hitting the parser. So even if it’s not configured, you’re still vulnerable. Oh, and it’s pre-auth."
There is no ppp release with this fix. It is only in current git. I also have not seen any CVE.