NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
NIST كتحصر الـ CVEnrichment من بعد ما تزادو تبليغات الثغرات (CVEs) بـ 263%
NIST Limits CVE Enrichment Following 263% Surge in Vulnerability Submissions
TL;DR
Facing a massive 263% increase in vulnerability submissions over the last five years, NIST has announced it will no longer "automatically" enrich every CVE. Effective April 15, 2026, NIST will prioritize enrichment for vulnerabilities that appear on CISA’s Known Exploited Vulnerabilities (KEV) list, critical government software, and software with elevated privileges. All other submissions will be marked as "Not Scheduled."
The National Institute of Standards and Technology (NIST) has officially shifted its strategy for the National Vulnerability Database (NVD). Citing an unsustainable "explosion" in the volume of Cybersecurity Vulnerabilities and Exposures (CVEs), the agency will now limit enrichment—the process of adding metadata like CVSS scores and weakness types—to specific high-priority categories.
The change, which went into effect on April 15, 2026, marks a significant departure from the NVD's historical role as a comprehensive repository for all enriched vulnerability data.
A 263% Surge in Vulnerabilities
The decision is driven by a stark reality: the sheer volume of software flaws has outpaced human and logistical capacities. According to NIST, CVE submissions increased by 263% between 2020 and 2025.
The momentum shows no signs of slowing. In the first three months of 2026 alone, submissions were nearly one-third higher than the previous year. While NIST reported enriching approximately 42,000 CVEs in 2025 (a 45% increase over any prior year), the backlog continues to grow. Data from security firm VulnCheck indicates that roughly 10,000 vulnerabilities from 2025 still lack a CVSS score.
The New Prioritization Criteria
Under the new guidelines, CVEs will only be prioritized for enrichment if they meet the following thresholds:
- CISA KEV List: Vulnerabilities appearing in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
- Government Software: Any software utilized within the U.S. federal government.
- Critical Software (Executive Order 14028): This includes software designed to run with elevated privileges, manage network resources, control access to data or operational technology, or operate outside normal trust boundaries.
Any submission that falls outside these criteria will be categorized as "Not Scheduled." NIST noted that while these excluded CVEs may impact specific systems, they are deemed to present less of a "systemic risk" to the national infrastructure.
Operational Changes and Backlog Management
Beyond the prioritization of new CVEs, NIST has introduced several operational updates:
- Backlog Reclassification: All unenriched CVEs published before March 1, 2026 (except those on the CISA KEV list) have been moved to the "Not Scheduled" category.
- No Duplicate Scoring: NIST will no longer routinely provide severity scores if a CVE Numbering Authority (CNA) has already provided one.
- Enrichment Requests: Users can still request enrichment or reanalysis for specific high-impact CVEs by emailing nvd@nist[.]gov.
- Dashboard UI: The NVD Dashboard and status labels have been updated to reflect these status changes in real time.
Industry Reaction: The End of an Era?
Security experts view this move as a necessary, if disruptive, evolution. Caitlin Condon, VP of security research at VulnCheck, noted that the announcement wasn't a surprise given NIST's previous hints at a risk-based model. However, she warned that many organizations relying solely on the NVD now face a "clear path to no enrichment" for a large portion of vulnerabilities.
"We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy," Condon stated, advocating for "machine-speed" approaches to vulnerability management.
David Lindner, CISO of Contrast Security, suggested this marks the end of an era where defenders could rely on a single, comprehensive government database. He argues that this change will force the industry to mature by prioritizing "actual exposure over theoretical severity."
Conclusion
NIST’s pivot to a prioritized enrichment model highlights the growing gap between the speed of vulnerability discovery and the capacity for manual analysis. For cybersecurity professionals, the update serves as a call to move beyond total CVE volume and focus resources on actionable threat intelligence and exploitability metrics.
Source: https://thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html
