Surging CVE disclosures pressure NIST to shake up workflows
The US Nationwide Institute for Requirements and Know-how (NIST) is within the means of shaking up the best way by which it handles widespread vulnerabilities and exposures (CVEs) listed within the Nationwide Vulnerability Database (NVD) within the face of a rapidly-changing menace setting.
Beforehand, the NVD programme aimed to analyse all CVEs obtained so as to add particulars – like severity scores and affected product lists – to assist cyber groups prioritise and mitigate related vulnerabilities. It phrases this course of ‘enrichment’.
Nonetheless, going ahead, it is going to enrich solely these CVEs that meet a predefined set of standards – these flaws that don’t imply this bar will nonetheless be listed however shall be marked as decrease precedence points.
“This variation is pushed by a surge in CVE submissions, which elevated 263% between 2020 and 2025. We don’t anticipate this pattern to let up anytime quickly. Submissions through the first three months of 2026 are practically one-third larger than the identical interval final yr,” NIST stated in an announcement.
“We’re working sooner than ever. We enriched practically 42,000 CVEs in 2025 – 45% greater than any prior yr. However this elevated productiveness will not be sufficient to maintain up with rising submissions. Subsequently, we’re instituting a brand new strategy.”
The authority hopes that these modifications will allow it to stabilise its programme and purchase a while to assist it develop new automated methods and workflow enhancements.
Priorities
The brand new standards went into impact on Wednesday 15 April, with the next CVEs prioritised:
“This may permit us to give attention to CVEs with the best potential for widespread affect. Whereas CVEs that don’t meet these standards might have a big affect on affected methods, they typically don’t current the identical stage of systemic threat as these within the prioritised classes,” stated NIST.
The organisation acknowledged that the brand new standards might not catch each doubtlessly high-impact flaw, so customers will be capable of request evaluations of decrease precedence CVEs for enrichment.
On the similar time, NIST will not routinely present a separate severity rating for CVEs which have already been assigned one by the CVE Numbering Authority – corporations equivalent to Microsoft, and so forth – that submitted it. It stated this was an effort to cut back duplication of effort and higher focus its sources, though customers are additionally capable of request evaluations of particular CVEs if needed.
NIST can also be altering the way it goes about reanalysing enriched CVEs which were modified after enrichment. Beforehand it had reanalysed all modified flaws however it is going to now solely accomplish that if it turns into conscious of a modification that materially impacts its enrichment knowledge. Once more, a user-requested evaluate system shall be put in place.
The backlog
In relation to a big backlog of unenriched CVEs that began to develop two years in the past, NIST said that it has not been capable of clear this down and so all backlogged CVEs with an NVD publish date earlier than 1 March 2026 shall be moved into the ‘Not Scheduled’ class. CVEs falling into this bucket shall be thought of for enrichment offered they meet the brand new prioritisation standards.
Lastly, NIST is updating CVE standing labels and descriptions, and making modifications to the NVD Dashboard to precisely report these.
The organisation stated it recognised it was making huge modifications that can have an effect on on a regular basis customers, nonetheless, it reiterated, adopting a risk-based strategy is important to handle the surge in submissions and purchase it time to construct new methods that can make sure the sustainability of its providing going ahead.
Danis Calderone, principal and chief expertise officer at Suzu Labs, stated NIST had in all probability taken the fitting choice.
“An overhaul was definitely wanted and possibly inevitable given the amount of latest CVE submissions, and we suspect that AI-assisted discovery might be already pushing that quantity larger. In spite of everything, Microsoft simply had its second-largest Patch Tuesday ever, and even ZDI says their incoming submissions have tripled due to AI instruments,” stated Calderone.
“We’re excited to see NIST making Kev the highest precedence tier. That’s the proper name and one thing we’ve been doing with our shoppers for a while now, so we’re very joyful to see that turning into the official mannequin.”
Nonetheless, Calderone criticised some perceived gaps in NIST’s new methodology, particularly the ending of CVE scoring when the submitting authority has already scored it.
“That sounds environment friendly till you do not forget that the submitting authority is commonly the seller, and distributors do not at all times get their very own bugs proper,” he stated. “We simply went by means of this with F5. A current BIG-IP vulnerability was scored 8.7 HIGH as a denial-of-service concern for 5 months earlier than it obtained reclassified as a 9.8 RCE. For organisations utilizing CVSS to drive patching precedence, that miscategorisation meant the actual threat sat within the improper queue for 5 months whereas attackers have been already exploiting it.”
“The opposite factor lacking right here is that NIST addressed the processing quantity drawback however did not contact the scoring methodology. CVSS nonetheless scores vulnerabilities in isolation. It does not mannequin chainability, the place an attacker combines a medium-severity data disclosure with a medium-severity privilege escalation and finally ends up with important affect. Neither bug scores as pressing by itself, however collectively they offer you full system compromise.”
Calderone stated that for safety leaders who’ve relied on NVD as their go-to for vulnerability context, the time was nigh to construct their very own prioritisation stack. This might incorporate knowledge from Cisa’s Kev catalogue, Exploit Prediction Scoring System (EPSS) data, and their organisation’s personal environmental context.
“The times of ready for NIST to let you know what issues are over,” he remarked.
