The US National Institute for Standards and Technology (NIST) is in the process of shaking up the way in which it handles common vulnerabilities and exposures (CVEs) listed in the National Vulnerability Database (NVD) in the face of a rapidly-changing threat environment.
Previously, the NVD programme aimed to analyse all CVEs received to add details – like severity scores and affected product lists – to help cyber teams prioritise and mitigate relevant vulnerabilities. It terms this process ‘enrichment’.
However, going forward, it will enrich only those CVEs that meet a predefined set of criteria – those flaws that don’t mean this bar will still be listed but will be marked as lower priority issues.
“This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” NIST said in a statement.
“We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 – 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach.”
The authority hopes that these changes will enable it to stabilise its programme and buy some time to help it develop new automated systems and workflow enhancements.
Priorities
The new criteria went into effect on Wednesday 15 April, with the following CVEs prioritised:
“This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritised categories,” said NIST.
The organisation acknowledged that the new criteria may not catch every potentially high-impact flaw, so users will be able to request reviews of lower priority CVEs for enrichment.
At the same time, NIST will no longer routinely provide a separate severity score for CVEs that have already been assigned one by the CVE Numbering Authority – firms such as Microsoft, etc – that submitted it. It said this was an effort to reduce duplication of effort and better focus its resources, although users are also able to request reviews of specific CVEs if wanted.
NIST is also changing how it goes about reanalysing enriched CVEs that have been modified after enrichment. Previously it had reanalysed all modified flaws but it will now only do so if it becomes aware of a modification that materially impacts its enrichment data. Again, a user-requested review system will be put in place.
The backlog
In relation to a significant backlog of unenriched CVEs that started to develop two years ago, NIST stated that it has not been able to clear this down and so all backlogged CVEs with an NVD publish date before 1 March 2026 will be moved into the ‘Not Scheduled’ category. CVEs falling into this bucket will be considered for enrichment provided they meet the new prioritisation criteria.
Finally, NIST is updating CVE status labels and descriptions, and making changes to the NVD Dashboard to accurately report these.
The organisation said it recognised it was making big changes that will affect everyday users, however, it reiterated, adopting a risk-based approach is necessary to manage the surge in submissions and buy it time to build new systems that will ensure the sustainability of its offering going forward.
Danis Calderone, principal and chief technology officer at Suzu Labs, said NIST had probably taken the right decision.
“An overhaul was certainly needed and probably inevitable given the volume of new CVE submissions, and we suspect that AI-assisted discovery is probably already pushing that number higher. After all, Microsoft just had its second-largest Patch Tuesday ever, and even ZDI says their incoming submissions have tripled thanks to AI tools,” said Calderone.
“We are excited to see NIST making Kev the top priority tier. That is the right call and something we’ve been doing with our clients for some time now, so we’re very happy to see that becoming the official model.”
However, Calderone criticised some perceived gaps in NIST’s new methodology, specifically the ending of CVE scoring when the submitting authority has already scored it.
“That sounds efficient until you remember that the submitting authority is often the vendor, and vendors don’t always get their own bugs right,” he said. “We just went through this with F5. A recent BIG-IP vulnerability was scored 8.7 HIGH as a denial-of-service issue for five months before it got reclassified as a 9.8 RCE. For organisations using CVSS to drive patching priority, that miscategorisation meant the real risk sat in the wrong queue for five months while attackers were already exploiting it.”
“The other thing missing here is that NIST addressed the processing volume problem but didn’t touch the scoring methodology. CVSS still scores vulnerabilities in isolation. It doesn’t model chainability, where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise.”
Calderone said that for security leaders who have relied on NVD as their go-to for vulnerability context, the time was nigh to build their own prioritisation stack. This could incorporate data from Cisa’s Kev catalogue, Exploit Prediction Scoring System (EPSS) information, and their organisation’s own environmental context.
“The days of waiting for NIST to tell you what matters are over,” he remarked.