I just shake my head at this whole issue. Why does it even have a CVE? This is a rogue DHCP server sending out legitimate DHCP options. They are using it wrong, that is all. There is nothing new to this, rogue DHCP servers have been an issue for a long time. All your data in your VPN will remain private.Traffic that was supposed to be routed over your VPN may end up on the public internet side instead of within your VPN. But this will likely be TCP SYN packets which should not get to their destination if not traversing the VPN. An attacker might get some additional information about your network architecture, ip addresses, dns names, but not access to your traffic.
If you are using software clients on your device, and it is sitting behind a NAT device (travel router like gl has), you have little to worry about. If that traffic is directed to a malicious server it is still encrypted. If you are really concerned, set up a firewall rule on your client prohibiting all external outbound and inbound traffic on any interface except your VPN connection andmore importantly quit using public wifi.