Hi,

 

Thanks for checking this.

 

You are right, at present there is only one valid CPE for acpid2
(tedfelix:acpid2), and we are not seeing any wrong matches against other
CPEs right now.

 

This update is mainly to make the mapping explicit, instead of depending
on product-only implicit matching. As of now, it does not change current
CVE reporting output. The intent is to keep mapping stable if matching
logic changes later, or if NVD adds another vendor:product using the
same product token in future.

 

So this is a proactive metadata clarity change, not a fix for any
current misreporting.