NIST Limits CVE Enrichment After 263% Surge In Vulnerability Submissions (thehackernews.com)
(Friday April 17, 2026 @11:30PM (BeauHD)
from the too-many-to-handle dept.)
- Reference: 0181740612
- News link: https://it.slashdot.org/story/26/04/17/2127243/nist-limits-cve-enrichment-after-263-surge-in-vulnerability-submissions
- Source link: https://thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html
NIST is [1]narrowing how it handles CVEs in the National Vulnerability Database (NVD), saying it will only [2]automatically enrich higher-priority vulnerabilities. "CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST," it [3]said . "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don't expect this trend to let up anytime soon." The Hacker News reports:
> The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows:
> - CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
> - CVEs for software used within the federal government.
> - CVEs for critical software as defined by Executive Order 14028: this includes software that's designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access.
>
> Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added. [...]
>
> Changes have also been instituted for various other aspects of the NVD operations. These include:
> - NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score.
> - A modified CVE will be reanalyzed only if it "materially impacts" the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above.
> - All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the "Not Scheduled" category. This does not apply to CVEs that are already in the KEV catalog.
> - NIST has updated the CVE status labels and descriptions, as well as the NVD Dashboard, to accurately reflect the status of all CVEs and other statistics in real time.
[1] https://thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html
[2] https://nvd.nist.gov/general/cve-process
[3] https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth
> The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows:
> - CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
> - CVEs for software used within the federal government.
> - CVEs for critical software as defined by Executive Order 14028: this includes software that's designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access.
>
> Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added. [...]
>
> Changes have also been instituted for various other aspects of the NVD operations. These include:
> - NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score.
> - A modified CVE will be reanalyzed only if it "materially impacts" the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above.
> - All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the "Not Scheduled" category. This does not apply to CVEs that are already in the KEV catalog.
> - NIST has updated the CVE status labels and descriptions, as well as the NVD Dashboard, to accurately reflect the status of all CVEs and other statistics in real time.
[1] https://thehackernews.com/2026/04/nist-limits-cve-enrichment-after-263.html
[2] https://nvd.nist.gov/general/cve-process
[3] https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth
What? (Score:1)
by Agnapot ( 1916966 )
So, what is a "CVE"? It's used an awful lot in the summary for never explaining what is or what it stands for...
Re: (Score:2)
by rossdee ( 243626 )
I thought a CVE was an "escort Carrier" They were used a lot in WWII. They couldn't carry as many planes as a full size attack carrier (CVA), but were a lot cheaper and faster to build. after WWII they were essentially obsolete since you needed a full size carrier (with catapults) to handle jets.
In "normal person speak" (Score:2, Insightful)
What does it mean to "enrich" a CVE?
Re: (Score:2)
The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. This list allows interested parties to acquire the details of vulnerabilities by referring to a unique identifier known as the CVE ID.
(by clicking the link)
Re: (Score:1)
What a strange comment section.. Multiple people irritated enough to be complaining about a couple paragraphs about a technical topic they don't understand, but who also can't be bothered to look into it, except to demand that someone explain it to them...
Re: In "normal person speak" (Score:2)
There are a lot of technical topics on /. I don't understand, but the point here is that they use an abbreviation like 20 times in a summary without ever defining it. If you use an abbreviation in technical writing (including a summary), you should define it the first time you use it. There may be some very common abbreviations that don't require defining, but this is not one of them.
Re: (Score:3)
In the slashdot post, the words [1]automatically enrich [nist.gov] are a hyperlink that point to a guide from NIST explaining the overall CVE process. It has a very prominent section that explains exactly what "enrichment" has historically done for CVE's once they are in the NVD...
> The following is a general overview of the enrichment process for a given CVE:
>
> Enrichment efforts begin with reviewing any reference material provided with the CVE record and assigns appropriate reference tags. This helps organiz
[1] https://nvd.nist.gov/general/cve-process