I was working on: prometheus/node_exporter#1046 and got a panic when trying to get cpu vulnerabilities:

panic: Couldn't create metrics handler: couldn't create collector: failed to get vulnerabilities: unknown vulnerability state for itlb_multihit: Not affected

Turns out that the parser is looking for "Not Affected" rather than "Not affected". I'm not sure where the capital letter came from. I don't see it in the sysfs code. I suspect it was copied from the comment in the relevant PR: #106 (comment) and this actually never worked.