NIST Overhauls National Vulnerability Database Operations Amid Record CVE Growth

The National Institute of Standards and Technology (NIST) has announced a significant restructuring of its National Vulnerability Database (NVD) operations, fundamentally altering how it processes and enriches Common Vulnerabilities and Exposures (CVEs). Effective April 15, 2026, NIST will only automatically enrich CVEs that meet specific prioritization criteria, a direct response to an unprecedented surge in vulnerability submissions that has strained the database’s capacity. This strategic shift marks a pivotal moment in the landscape of cybersecurity vulnerability management, compelling organizations to adapt their risk assessment strategies.

The Genesis of the NVD and Its Crucial Role

To fully appreciate the gravity of NIST’s announcement, it’s essential to understand the foundational role of the NVD and CVEs in global cybersecurity. The NVD, maintained by NIST, serves as the U.S. government repository of standards-based vulnerability management data, represented by CVEs. A CVE is a list of publicly disclosed cybersecurity vulnerabilities, each assigned a unique identifier (e.g., CVE-2023-12345). These entries provide common names for publicly known cybersecurity vulnerabilities, enabling security professionals to discuss and address them uniformly across different security tools and services.

The NVD enriches these raw CVEs by adding crucial contextual information. This enrichment typically includes impact metrics (such as CVSS scores – Common Vulnerability Scoring System), fix information, and detailed descriptions of the vulnerability’s nature, affected products, and potential mitigations. For decades, the NVD has been an indispensable resource for organizations worldwide, providing a centralized, authoritative source for assessing the severity and impact of vulnerabilities affecting their software and systems. Security teams have relied on NVD’s comprehensive data to prioritize patching efforts, inform risk assessments, and maintain compliance. The expectation has long been that virtually every recognized CVE would eventually receive this critical enrichment, allowing for standardized risk analysis.

An Unprecedented Deluge of Vulnerabilities

NIST’s decision stems from an unsustainable escalation in the volume of CVE submissions. The agency reported a staggering 263% increase in CVE submissions between 2020 and 2025 alone. This trend shows no signs of abating, with submissions in the first three months of 2026 already nearly one-third higher than those recorded in the same period last year. This exponential growth reflects several interconnected factors:

• Increased Software Complexity: Modern software ecosystems are increasingly intricate, built upon layers of open-source components, third-party libraries, and microservices. Each new component introduces potential attack surfaces and vulnerabilities.
• Expanded Security Research: A growing global community of security researchers, both ethical hackers and malicious actors, is actively probing software for flaws.
• Rise of Bug Bounty Programs: Companies increasingly offer financial incentives for identifying and reporting vulnerabilities, incentivizing more extensive and rigorous security testing.
• Automated Vulnerability Discovery Tools: Advances in static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) tools allow for faster and more widespread identification of potential weaknesses.
• Focus on Open Source: The pervasive use of open-source software, while fostering innovation, also means vulnerabilities in widely used libraries can have cascading effects across countless applications.

Despite working at an unprecedented pace – enriching nearly 42,000 CVEs in 2025, a 45% increase over any prior year – NIST’s resources have been overwhelmed by the sheer volume. The manual and semi-automated processes required for thorough enrichment simply cannot keep pace with the current rate of submission. This operational bottleneck has led to a backlog, with critical data, such as CVSS scores, missing for a significant number of vulnerabilities. For instance, data from cybersecurity firm VulnCheck indicates that approximately 10,000 vulnerabilities from 2025 still lack a CVSS score. While NIST enriched 14,000 CVE-2025 vulnerabilities, this accounts for only about 32% of the total 2025 CVE population, leaving a vast majority without essential context.

NIST’s New Prioritization Framework

To manage this unsustainable workload, NIST has implemented a new, risk-based prioritization model for CVE enrichment. Under this revised policy, which became effective on April 15, 2026, NIST will only automatically enrich CVEs that meet specific, undisclosed criteria designed to identify those with the "maximum potential for widespread impact" or "systemic risk." While the exact detailed criteria have not been fully elaborated in the initial public announcements, it can be logically inferred that these conditions would likely consider factors such as:

• Exploitability: The ease with which a vulnerability can be exploited in real-world scenarios.
• Impact on Critical Infrastructure: Vulnerabilities affecting essential services, utilities, or government functions.
• Prevalence of Affected Software: Flaws in widely used operating systems, applications, or foundational libraries.
• Potential for Chaining: Vulnerabilities that can be combined with others to achieve greater impact.
• Severity: While CVSS scores are part of enrichment, a preliminary assessment of inherent severity might guide initial prioritization.

CVEs that do not meet these stringent thresholds will still be listed in the NVD but will be marked as "Not Scheduled" for automatic enrichment by NIST. This means that, unlike in the past, a significant portion of newly identified vulnerabilities will not receive critical data points such as comprehensive descriptions, CVSS scores, and detailed references directly from NIST. The rationale behind this shift, as articulated by NIST, is to concentrate resources on vulnerabilities that pose the greatest systemic threat, acknowledging that while "Not Scheduled" CVEs may still significantly impact affected systems, they generally do not present the same level of widespread risk.

Implications for "Not Scheduled" Vulnerabilities and the Community Request Process

The "Not Scheduled" status carries substantial implications for organizations that have historically relied on the NVD as their primary, and often sole, source of vulnerability intelligence. Without NIST’s enrichment, these entries will lack the standardized, in-depth analysis necessary for effective risk assessment and prioritization. This omission could lead to:

• Increased Manual Effort: Security teams will need to expend more resources researching "Not Scheduled" CVEs, potentially drawing on disparate and less authoritative sources to understand their impact and exploitability.
• Inconsistent Risk Assessments: The absence of standardized CVSS scores and detailed descriptions will make it harder to consistently evaluate and compare risks across different systems and applications.
• Delayed Patching: Organizations may be slower to identify and address vulnerabilities that lack clear guidance, increasing their exposure windows.
• Blind Spots: Less critical but still impactful vulnerabilities might be overlooked if organizations lack the resources to manually research every "Not Scheduled" entry.

Recognizing the potential for high-impact CVEs to be initially categorized as "Not Scheduled," NIST has instituted a community-driven review process. Users who believe a particular "Not Scheduled" CVE warrants enrichment due to its significant impact can submit a request via email to "nvd@nist[.]gov." NIST will then review these requests and, if deemed applicable, schedule the CVE for enrichment. While this provides a mechanism for addressing overlooked critical vulnerabilities, it introduces a layer of manual intervention and potential delay, placing additional burden on the cybersecurity community to advocate for the enrichment of specific entries.

Broader Operational Adjustments and Expert Reactions

Beyond the prioritization changes, NIST has also indicated that "various other aspects of the NVD operations" have been instituted. While the original announcement did not detail these specific changes, they logically could encompass updates to NVD APIs, revised documentation, enhancements to submission portals, or adjustments to community engagement protocols, all aimed at streamlining the NVD’s functions in light of the new operational model.

The cybersecurity community has largely anticipated this shift, with experts acknowledging the unsustainable trajectory of CVE growth. Caitlin Condon, Vice President of Security Research at VulnCheck, noted that NIST had "previously telegraphed intent to move to a ‘risk-based’ prioritization model for CVE enrichment." While commending NIST for "clearly and publicly setting expectations for the community," Condon also highlighted the critical challenge: "a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data." She underscored that this announcement reinforces a fundamental truth: "We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy." Condon emphasized the imperative for "distributed, machine-speed approaches to vulnerability identification and enrichment, along with a genuinely global perspective on risk that acknowledges the interconnected, interdependent nature of the worldwide software ecosystem." She starkly warned, "After all, what we don’t prioritize for ourselves, adversaries will prioritize for us."

David Lindner, Chief Information Security Officer of Contrast Security, echoed this sentiment, describing NIST’s decision as "the end of an era where defenders could leverage a single government-managed database to assess security risks." Lindner stressed that this shift necessitates a pivot for organizations towards "a proactive approach to risk management that’s driven by threat intelligence." He advised "modern defenders" to "move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics." The CISA Known Exploited Vulnerabilities (KEV) Catalog, maintained by the U.S. Cybersecurity and Infrastructure Security Agency, lists vulnerabilities that have been observed being actively exploited in the wild, providing a critical, high-fidelity signal for immediate action. Lindner concluded that while this transition might disrupt "legacy auditing workflows," it ultimately "matures the industry by demanding that we prioritize actual exposure over theoretical severity. Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug."

The Evolving Landscape of Vulnerability Management

NIST’s revised NVD operations signal a fundamental paradigm shift in vulnerability management. The era of relying on a single, comprehensive, and universally enriched database for all vulnerabilities is effectively over. Organizations must now embrace a multi-faceted, intelligence-driven approach:

1. Diversify Vulnerability Intelligence Sources: Beyond the NVD, organizations will need to integrate data from commercial threat intelligence platforms, vendor security advisories, exploit databases (like Exploit-DB), and community-driven security research.
2. Prioritize Based on Context and Threat Intelligence: The CISA KEV list will become even more critical for identifying vulnerabilities actively exploited. Organizations must also develop internal capabilities to assess vulnerabilities based on their specific asset inventory, business context, and observed threat landscape.
3. Leverage Automation and AI: Automated vulnerability management tools, particularly those incorporating AI and machine learning, will be essential for processing the vast volume of vulnerability data, correlating it with threat intelligence, and generating risk-based insights at machine speed. These tools can help identify "Not Scheduled" CVEs that are relevant to an organization’s specific tech stack and aid in determining their potential impact.
4. Strengthen Internal Research Capabilities: For critical systems, organizations may need to bolster their internal security research teams to manually analyze "Not Scheduled" CVEs that pose a specific risk to their operations, or be prepared to actively engage with NIST’s community request process.
5. Focus on Exploitability and Business Impact: The emphasis must shift from merely cataloging every known vulnerability to understanding which ones are actually exploitable in their environment and which pose the greatest business risk. This requires a deeper understanding of an organization’s attack surface and threat actors.

This recalibration by NIST, while presenting immediate challenges, ultimately pushes the cybersecurity community towards a more mature, resilient, and proactive posture. It underscores the urgent need for defenders to move beyond a reactive, checklist-based approach to a dynamic, intelligence-led strategy capable of navigating the ever-expanding universe of digital threats. The future of vulnerability management will be characterized by distributed intelligence, automated analysis, and a relentless focus on actual, rather than theoretical, risk.