Strange enough it seems that the NVD had switched from using the “correct” CPE cpe:/a:openbsd:openssh:4.4p1 to using cpe:/a:openbsd:openssh:4.4:p1 like seen in e.g.:
https://nvd.nist.gov/vuln/detail/CVE-2021-36368#range-7818946
@panajo1017 You might want to contact the NVD via https://www.nist.gov/about-nist/contact-us to get this corrected back so that the p1 isn’t added to the Update Component part of the CPE because p1 is actually not an update / patch as we have now concluded.