NIST to limit work on CVE entries as submissions surge

The National Institute of Standards and Technology (NIST) announced significant changes to the system that tracks cybersecurity vulnerabilities, admitting that bug submissions are growing exponentially each year.

NIST said it will only add details and information to the records of vulnerabilities that meet a certain threshold — changing a longstanding mission to categorize every CVE, which stands for cybersecurity vulnerabilities and exposures. 

The agency typically adds descriptions and data like the severity score of a vulnerability to the CVE record after it is submitted to the National Vulnerability Database (NVD). According to a NIST statement on Wednesday, this task became impossible with the deluge of submissions this year. 

“Submissions during the first three months of 2026 are nearly one-third higher than the same period last year. We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions.”

NIST, which runs the NVD, said CVEs that don’t meet the new criteria will still be listed but will not have new information added — a process cybersecurity experts call “enrichment.”

Starting on Wednesday, NIST will only enrich CVEs that appear in a federal catalog of exploited vulnerabilities organized by the Cybersecurity and Infrastructure Security Agency (CISA). Bugs added to the catalog will be enriched within one day of notice from CISA. 

CVEs in products used by the federal government and software deemed “critical” will also be enriched by NIST. 

NIST said the changes would allow them to focus on the most critical CVEs and continue work while developing “the automated systems and workflow enhancements required for long-term sustainability.”

A spokesperson from NIST said they gave an in-depth presentation about the changes yesterday at the Vulncon cybersecurity conference. 

“[We] have already received feedback and offers of support from the user community. This announcement is one step in a continuing process of strengthening the NVD, not a final update,” they added. 

Chris Butera, acting executive assistant director for cybersecurity at CISA, said they “have a strong relationship with NIST and will continue to collaborate to enable defenders worldwide to protect their networks.”

Cybersecurity experts and artificial intelligence companies have repeatedly warned that the democratization of AI code review tools is leading to a flood of new, but at times minor, vulnerabilities in popular products. 

Recent AI cybersecurity developments have also set off further alarm bells about autonomous systems with the ability to discover and immediately exploit bugs without direction. 

Staff cutbacks and stiff funding cuts at NIST set off a crisis in 2024 where 90% of vulnerability submissions sent to NIST were not enriched. CISA stepped in to fill the void, enriching thousands of vulnerabilities on NISTs behalf as a consortium was created to plan ahead.

A senior leader at the NVD said their staff stayed the same – at 21 people – while the number of vulnerabilities continued to grow each year.

Dozens of cybersecurity experts signed a letter at the time to Congress and Secretary of Commerce Gina Raimondo imploring them to fund and protect the NVD, calling it “critical infrastructure for a large variety of cybersecurity products.”

“The NVD is integral to how every organization in the private and public sectors worldwide works to defend against vulnerability exploitation attacks targeting their technology systems,” the letter said. “We are deeply concerned with the loss of this functionality and the lack of transparent communication from NIST about this issue to the cybersecurity community and organizations that depend on it.”

CVE Backlog left behind

NIST repeatedly pledged to clear the backlog throughout the end of 2024 and 2025 but admitted on Wednesday that it would be impossible for them to enrich the thousands of records left from that funding snafu. 

“Unfortunately, we have been unable to clear that backlog, in part due to the increasing rate of submissions. Therefore, when we implement the new prioritization criteria described above, we will move all backlogged CVEs with an NVD publish date earlier than March 1, 2026, into the “Not Scheduled” category,” the agency said.

NIST will go through the backlog and pick out vulnerabilities that meet the new criteria and prioritize them over the rest. 

Throughout the announcement, NIST said even bugs that don’t meet the new criteria “may have a significant impact on affected systems” and admitted that the new rules “may not catch every potentially high-impact CVE.” Researchers can request CVE enrichment by emailing NIST.

NIST also said it would no longer provide its own severity score for all submitted CVEs, instead relying fully on the scores provided by the submitter.  

The agency said the changes can “ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities.”

“We recognize that these changes will affect our users. However, this risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community,” NIST said.

Bugcrowd’s Trey Ford said NIST is “acknowledging is something the research community has understood for years: you cannot centralize vulnerability triage at this volume and expect it to hold.” 

“The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments,” he said. 

“The next generation of vulnerability programs will be built around that kind of active, distributed signal, not quarterly enrichment cycles.”

Updated 4/16 at 12:40pm EST with comments from NIST and CISA.