The VMT doesn't request CVE assignment for bugs which aren't going to have fixes backported, though that doesn't stop someone else from requesting a CVE once this is public. However, the point of a CVE is to be able to track whether a given deployment is vulnerable, and if there's no patch or configuration change which makes deployments no longer at risk of this then there's not much point to having a CVE assigned for it anyway in my opinion.
The VMT doesn't request CVE assignment for bugs which aren't going to have fixes backported, though that doesn't stop someone else from requesting a CVE once this is public. However, the point of a CVE is to be able to track whether a given deployment is vulnerable, and if there's no patch or configuration change which makes deployments no longer at risk of this then there's not much point to having a CVE assigned for it anyway in my opinion.