Surge in Cybersecurity Vulnerabilities Challenges US National Vulnerability Database Operations
The team managing the US National Vulnerability Database (NVD) is facing significant challenges in keeping pace with an unprecedented rise in reported vulnerabilities. Harold Booth, a computer scientist from the US National Institute of Standards and Technology (NIST), conveyed these concerns during a presentation at VulnCon26, held in Scottsdale, Arizona, on April 15. According to Booth, the database, which is vital for tracking common vulnerabilities and exposures (CVEs), has been unable to keep up with the dramatic increase in CVE submissions.
Booth elaborated on the operational adjustments being made within the NVD to cope with what he described as a “record growth” of reported vulnerabilities. As he noted, while the NVD is committed to adequately addressing CVE reporting, it currently lacks the resources necessary to manage the overwhelming influx. “CVE reporting keeps increasing – and trust me, at the NVD, we see them all – and our ability to keep up is just not there, so our backlog keeps increasing too,” Booth admitted, signaling an urgent need for change in their operational framework.
In light of these challenges, the NVD will be shifting to a risk-based approach that prioritizes which vulnerabilities to process and enrich first. This shift will entail severe measures, including a decision to cease enrichment for all vulnerabilities reported before March 1, 2026. The NVD will place a higher priority on vulnerabilities that impact software utilized by the US federal government, along with critical software as outlined in Executive Order 14028 from 2021.
Additionally, vulnerabilities identified in the US Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list will be prioritized. Booth emphasized that despite these changes, all submitted CVEs will still be included in the NVD, although those that do not meet specific criteria will be classified as “Not Scheduled.” “Vulnerabilities are a way for an attacker to gain access to a system that they should not, and we want to close those holes as quickly, efficiently, and effectively as possible. We want to focus on the ones that are important, not the ones that are unimportant,” he asserted.
For those whose vulnerabilities do not receive immediate attention, there remains an avenue for further action; users can request enrichment of unscheduled CVEs by reaching out via email to the NVD. This step aims to involve stakeholders in the process and potentially reduce some of the backlog.
The Escalating Threat of CVE Submissions
The urgency behind these operational changes is underscored by alarming statistics. According to a recent NIST statement, CVE submissions have surged by a staggering 263% from 2020 to 2025. In 2025 alone, the NVD managed to enrich nearly 42,000 CVEs — a 45% increase from any previous year. However, the rate of new submissions continues to outstrip their capacity to process them. Booth highlighted that submissions during the initial three months of 2026 have already exceeded last year’s numbers by nearly a third, making it clear that the burden on the NVD is intensifying.
Projections from the Forum of Incident Response and Security Teams (FIRST) point towards an even steeper increase in 2026, with an estimated total of 50,000 new CVEs anticipated. Cisco’s principal engineer, Jerry Gamblin, predicts an even more dire scenario, estimating a possible total of 70,135 CVEs by the end of this year, which would mark a 45.6% growth compared to 2025. The alarming part is that these numbers do not consider the recent advancements in generative AI models by companies like OpenAI and Anthropic, which aim to autonomously identify and rectify vulnerabilities at scale.
Booth also acknowledged the rise in the number of Common Platform Enumeration (CPE) identifiers, a standardized naming scheme crucial for identifying hardware, software, and operating systems. This growth is largely attributed to new vulnerability discovery tools that leverage large language models (LLMs).
Adjustments in CVE Scoring and Analysis
Alongside the prioritization of CVE enrichment, Booth announced further adjustments in how the NVD will manage CVE scoring. The NVD will discontinue providing its own severity scores for CVEs that have already been scored by the submitting authority, unless discrepancies arise that justify a re-evaluation. Additionally, the NVD will now only reassess modified CVEs if the changes significantly influence the enrichment data, streamlining processes in response to growing demands.
Users will still have the option to request score changes or new analyses, with the NVD promising a case-by-case review of such submissions. This approach reflects a desire to maintain clarity and efficiency in the face of a burgeoning backlog.
To enhance transparency, Booth revealed that NVD would adopt updated status labels for CVEs, replacing outdated terms like "Deferred" with "Not Scheduled" to indicate that the corresponding CVE will not be enriched. A document outlining these new status labels has also been made available to help users understand the categorization system better.
As the NVD evolves in response to unprecedented growth in vulnerability reporting, these changes signify a crucial shift towards prioritizing critical cyber threats, aiming for a more efficient and responsive database system.