Impacted versions in CVE listings are normally not validated.

For example, my CVE-2022-2007 in WebGPU also supposedly goes back to Chrome version 9. That's impossible, as WebGPU wasn't even a concept back then.

https://nvd.nist.gov/vuln/detail/CVE-2022-2007

It's relatively easy to find the offending commit by creating a unit test and using git bisect. I usually don't do it for public Chromium bug reports since it's extra work and $0 in extra rewards.