We've found a CVE (CVE-2017-15649) that seems to impact both all and some version of the kernel package. Specifically, we parse the file at 
https://access.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
 
At the top of the file, CVE-2017-15649 appears for the first time with the title "CVE-2017-15649 kernel: Use-after-free in the af_packet.c (important)" and impacts all installations of the kernel package.
 
CVE-2017-15649 appears a second time as part of a bug fix with title "RHSA-2018:0151: kernel security and bug fix update (Important)" and reduces the impact scope to kernel versions earlier than 0:3.10.0-693.17.1.el7.
 
I've added screenshots of both sections this CVE appears in, highlighting the different kernel version criteria.
 
Is this an expected format of the data or an error in the file?