I assume you mean https://github.com/realm/realm-java/issues/4553
What isn't spelled out in that issue, but only hinted at, is that all interaction in Realm goes through Realm's Java API's. This means that you don't have access to run any native code yourself, which would be required to exploit a potential buffer overflow.
If an attacker indeed was in a position to try this attack, they would already have sufficient privileges to download the Realm or otherwise maliciously modify your app.
In short, I would consider this a false positive in the pen test.