{"id":7859,"date":"2026-04-16T21:58:08","date_gmt":"2026-04-16T21:58:08","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7859"},"modified":"2026-04-16T21:58:08","modified_gmt":"2026-04-16T21:58:08","slug":"nist-cuts-down-cve-analysis-amid-vulnerability-overload","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7859","title":{"rendered":"NIST cuts down CVE analysis amid vulnerability overload"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Overwhelmed by an escalating volume of security flaws, the National Institute of Standards and Technology (NIST) has announced significant changes to how it handles cybersecurity vulnerabilities and exposures (CVEs).<\/p>\n

Rather than commit to providing enrichment for all entries in its National Vulnerability Database (NVD), the agency will focus on just the most critical CVEs<\/a>, which will \u201callow us to stabilize the program while we develop the automated systems and workflow enhancements required for long-term sustainability.\u201d<\/p>\n

Starting immediately, NIST will focus on CVEs appearing in CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog<\/a>. \u201cOur goal is to enrich these within one business day of receipt,\u201d the agency said.<\/p>\n

Other high-priority CVEs will also include those for software used in the federal government and for other critical software<\/a>.<\/p>\n

All the other CVEs will still be added to the NVD, but will be categorized as \u201cnot scheduled,\u201d meaning that NIST will no longer prioritize their enrichment.<\/p>\n

Broken by backlog<\/h2>\n

According to NIST, a backlog of CVEs started to accumulate in early 2024<\/a>, and the agency has been unable to clear it due to increasing submissions.<\/p>\n

Submissions grew by 263% between 2020 and 2025, according to the agency, with nearly one-third more vulnerabilities reported in Q1 2026 than the same time last year.<\/p>\n

The agency, which enriched nearly 42,000 CVEs in 2025, 45% more than any previous year, now faces a total backlog of more than 30,000 CVEs, said Harold Booth, a technical and program lead at NIST, at this week\u2019s VulnCon cybersecurity conference<\/a>.<\/p>\n

\n

SOURCE: https:\/\/www.cve.org\/about\/Metrics<\/p>\n

CSO<\/p>\n<\/div>\n

As a result, NIST will now forego enrichment for all but the most critical of vulnerabilities.<\/p>\n

Backlogged CVEs received prior to March 1 will also be labeled \u201cnot scheduled.\u201d None of those are critical vulnerabilities, NIST said, because those have always been handled first.<\/p>\n

\u201cThey\u2019ve just come out and publicly stated, \u2018We are never going to get through this backlog,\u2019\u201c Dustin Childs, head of threat awareness at Trend Micro\u2019s Zero Day Initiative, told CSO.<\/p>\n

In addition, NIST will no longer calculate severity scores for CVEs submitted with scores provided by the reporting organization.<\/p>\n

Security leaders reliant on NIST enrichment will need to take stock of their technology inventories to see whether they fall under NIST\u2019s priority list, Childs said. That\u2019s not easy.<\/p>\n

\u201cDiscovery is one of the most difficult problems we\u2019re dealing with,\u201d he noted, adding that it\u2019s also not clear what software actually falls into the priority category. \u201cSoftware used by the federal government is a very vague statement.\u201d<\/p>\n

Mounting CVE counts \u2014 with AI flaw discovery on the rise<\/h2>\n

Childs is not surprised that CVEs numbers have been going up, citing AI as part of the reason why.<\/p>\n

\u201cWe\u2019re already seeing more garbage CVEs \u2014 and more real CVEs \u2014 related to AIs,\u201d he says.<\/p>\n

Dealing with these CVEs is going to be a massive problem for companies. \u201cPeople still don\u2019t patch,\u201d he says. \u201cAnd we\u2019re going to quadruple the number of patches they\u2019re going to have to deploy. How do we build our defenses across the entire enterprise? I don\u2019t know if we\u2019ll get there before the bad guys do.\u201d<\/p>\n

According to the Forum of Incident Response and Security Teams (FIRST), 59,427 CVEs are expected to be submitted this year, up from a little over 48,000 in 2025. That makes 2026 the first year that CVEs will pass the 50,000 milestone.<\/p>\n

\u201cThe sheer velocity of vulnerability discovery and exploitation is unlike anything we\u2019ve seen before,\u201d FIRST CEO Chris Gibson told CSO.<\/p>\n

FIRST has also modeled \u201crealistic scenarios\u201d in which the total number of CVEs cracks 100,000 for 2026<\/a> \u2014 but that was in February<\/a>, before Anthropic announced Mythos, its vulnerability-finding AI model many foresee as a structural shift for the cybersecurity industry<\/a>.<\/p>\n

\u201cAnd if it\u2019s not Mythos, or whatever else is coming out now, something is going to come out next week,\u201d said Empirical Security founder Jay Jacobs, who also leads the Exploit Prediction Scoring System special interest group at FIRST.<\/p>\n

Still, Jacobs is optimistic that turning to technology will help NIST deal with rising CVE volumes.<\/p>\n

\u201cHarold Booth has a lot of experience and skill working with AI over the last few years,\u201d Jacobs told CSO. \u201cSo I\u2019m expecting him to bring some expertise and I hope we do see some AI news there.\u201d<\/p>\n

Both large language models and AI agents are on the agency\u2019s to-do list, as is old-fashioned robotic process automation (RPA), Booth said in his presentation at VulnCon, which Jacobs chairs. NIST also plans to delegate some of the work to CVE Numbering Authorities (CNAs), which includes security vendors and researchers.<\/p>\n

\u201cAmong other things, we are pursuing efforts to determine how large language models and other machine learning tools can be leveraged to speed up analysis and enrichment tasks that are currently manual and labor-intensive,\u201d Booth added in follow-up with CSO.<\/p>\n

This story has been updated to include added comment from Harold Booth on NIST\u2019s AI plans.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Overwhelmed by an escalating volume of security flaws, the National Institute of Standards and Technology (NIST) has announced significant changes to how it handles cybersecurity vulnerabilities and exposures (CVEs). Rather than commit to providing enrichment for all entries in its National Vulnerability Database (NVD), the agency will focus on just the most critical CVEs, which […]<\/p>\n","protected":false},"author":0,"featured_media":7849,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7859","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7859"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7859"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7859\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7849"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}