I believe this is the side effect of having upstream manage the CVE process.

The distros dont get any involvement until release, welcome to the suck.