it appears this CVE was found in 4.12 and resolved in 4.13, according to this doc from Product Security which was created from some clair scans.

running clair and trivy scans locally did not show this CVE in any 4.12.1 images.

this story is to track the work to figure out some reproducer or other method to
determine which images are affected and cross reference with the list from Product
Security.