However, we see the -D option on the listening parent:

  $ ps ax | grep sshd | head -1
     1306 ?        Ss     0:01 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

As mentioned elsewhere here, is -D sufficient to avoid exploitation, or is -e necessary as well?

  $ man sshd | sed -n '/ -[De]/,/^$/p'
     -D      When this option is specified, sshd will not
             detach and does not become a daemon.  This
             allows easy monitoring of sshd.

     -e      Write debug logs to standard error instead
             of the system log.

RHEL9 is also 64-bit only, and we see from the notice:

"we have started to work on an amd64 exploit, which is much harder because of the stronger ASLR."

On top of writing the exploit to target 32-bit environments, this also requires a DSA key that implements multiple calls to free().

There is a section on "Rocky Linux 9" near the end of the linked advisory where unsuccessful exploit attempts are discussed.