⚖️ Risk Mgmt

NIST Halts NVD Enrichment for Lowest-Priority CVEs as Submission Volume Surges 263% — Vulnerability Management Impact

NIST has announced it will no longer provide full CVSS scoring, CPE matching, and CWE classification for the lowest-priority tier of CVE submissions in the NVD. The change, driven by a 263% surge in annual CVE volumes since 2024, means thousands of CVE records will remain in an unenriched 'DEFERRED' state — with no CVSS score, no affected product mapping, and no severity rating. Enterprise vulnerability management programmes that rely on NVD as their authoritative source must adapt their workflows immediately.

4 min read
#nvd#nist#vulnerability-management#cvss#patch-management#risk-prioritisation

The National Institute of Standards and Technology (NIST) has formally announced it will discontinue full enrichment of National Vulnerability Database (NVD) records for CVEs it classifies as lowest-priority — a change that fundamentally alters how the security industry’s most relied-upon vulnerability data source operates.

The announcement, published on April 27, 2026, confirms that an estimated 30–40% of newly published CVEs will now receive only a bare-bones record: the CVE identifier, the CNA-supplied description, and a reference to the originating advisory. No CVSS base score, no Common Platform Enumeration (CPE) product mappings, no Common Weakness Enumeration (CWE) classification. These records will be labelled DEFERRED in the NVD status field.

The Scale of the Problem

NIST’s announcement attributes the change to an unsustainable growth trajectory. CVE submissions have increased by approximately 263% since 2024, driven by:

  • Expansion of CNA (CVE Numbering Authority) programme authorisations to thousands of vendors and researchers globally
  • AI-assisted vulnerability discovery tooling producing significantly higher disclosure volumes
  • Regulatory pressure in the EU and US encouraging formal CVE assignment for a broader class of software flaws

NIST’s enrichment team — responsible for manually reviewing, scoring, and cross-referencing each CVE record — has not scaled to match this volume. The result is a growing backlog that peaked at over 22,000 unenriched records in early 2026, prompting the decision to formalise a triage tier.

The DEFERRED classification applies to CVEs that NIST’s triage algorithm rates as low impact and low exploitability based on the CNA-supplied description. In practice, this algorithm will misclassify some significant vulnerabilities, particularly those in niche enterprise products or novel vulnerability classes where the automated heuristics have limited context.

Impact on Enterprise Vulnerability Management

Most commercial vulnerability management platforms — including Tenable, Qualys, Rapid7, and CrowdStrike Falcon — ingest NVD data as their primary enrichment source for CVSS scores and affected product identification. A DEFERRED CVE arriving in these platforms will appear with no severity rating and no CPE match, meaning:

  1. Automated asset-to-vulnerability correlation will fail — scanners cannot identify which hosts are affected if CPE data is absent.
  2. Risk scoring engines will not prioritise the finding — a CVE with no CVSS score typically receives a “pending” or “informational” disposition rather than an actionable severity.
  3. SLA-based remediation workflows will not trigger — most enterprise patch SLAs are tied to CVSS severity thresholds; no score means no SLA clock starts.

This creates a systemic blind spot: a CVE that is genuinely significant to an organisation’s specific asset inventory may sit undetected in a DEFERRED state for weeks or indefinitely if no alternative enrichment source resolves it.

What Replaces NVD Enrichment?

NIST points to two mitigating factors. First, many CNAs now publish CVSS scores themselves as part of their CVE submission, which the NVD will pass through without independent validation — though CNA-supplied scores are not always consistent with NVD methodology and may be optimistically low. Second, NIST is encouraging enterprises to use additional data sources beyond the NVD.

Practically, organisations should now plan to supplement NVD with:

  • Vendor advisory feeds — direct RSS or API subscriptions to vendor security advisories (Microsoft MSRC, Cisco PSIRT, Red Hat, etc.) to catch enrichment that vendors publish independently of NVD timelines
  • EPSS (Exploit Prediction Scoring System) — the FIRST EPSS model scores exploitation probability without depending on NVD enrichment and is increasingly integrated into VM platforms
  • CISA KEV — the Known Exploited Vulnerabilities catalogue provides an exploitation-confirmed signal that is independent of CVSS completeness
  • Commercial threat intelligence feeds — vendors such as VulnDB, Flashpoint, and GreyNoise publish enrichment independently of NIST
  • Audit your VM platform’s NVD dependency — contact your vendor to understand how DEFERRED records will appear in your console and whether the platform has fallback enrichment logic.
  • Implement vendor advisory subscriptions — do not rely solely on NVD ingestion for visibility of vulnerabilities in your priority product stack (Microsoft, Cisco, Palo Alto, Fortinet, Linux distributions).
  • Update patch prioritisation policies — adjust workflows to handle CVEs without CVSS scores; consider using EPSS probability as a secondary signal when CVSS is absent.
  • Monitor the NIST NVD enrichment backlog — NIST publishes weekly backlog metrics at nvd.nist.gov/statistics; include this in your security operations dashboard to track when significant records transition from DEFERRED to enriched.

Share this article