The National Vulnerability Database, overseen by the National Institute of Standards and Technology, is facing a mounting crisis as the backlog of unanalyzed vulnerabilities continues to swell. Recent projections indicate that this backlog could climb to nearly 30,000 unprocessed vulnerabilities by the conclusion of 2024.
This database serves as the official repository for common vulnerabilities and exposures in the United States, making it a crucial resource for numerous scanners, analysts, and vendors seeking to identify software vulnerabilities. When vulnerabilities are not promptly added to the database, it hampers the ability of enterprise defenders to prioritize which vulnerabilities require immediate patching and to detect issues that impact multiple applications.
Currently, the NVD is grappling with a backlog of 16,974 vulnerabilities, with an average influx of approximately 111 new security flaws each day. Data analysis from Fortress Information Security underscores the daunting challenge facing NVD analysts, estimating that they would need to address over 217 vulnerabilities daily just to clear the existing backlog and keep pace with incoming reports. However, the current rate at which NIST is processing new Common Vulnerabilities and Exposures (CVEs) falls short of this target, with Fortress reporting that NIST is handling just over 30 new CVEs per day.
Various factors have contributed to this backlog, including resource constraints, an escalating volume of disclosed vulnerabilities, and other operational limitations acknowledged earlier this year by NIST. In response to these challenges, NIST has established collaborative initiatives with the Cybersecurity and Infrastructure Security Agency and engaged a private cybersecurity firm to assist in alleviating the backlog. The objective is to reduce the backlog by September 30, coinciding with the conclusion of the government’s fiscal year.
Despite these efforts, analysis conducted by Fortress indicates that NIST has only evaluated a fraction of the new CVEs identified in 2024. If the current pace is maintained, Fortress projects that nearly 29,569 vulnerabilities will remain unanalyzed by the year’s end— assuming analysts work seven days a week. With 155 days remaining in 2024 and only 62 days until the fiscal year’s end, NIST will need to significantly augment its resources to make substantial headway in reducing the backlog.
The escalating backlog of unprocessed vulnerabilities at the National Vulnerability Database underscores the critical need for enhanced operational capacity and streamlined processes to ensure the timely and comprehensive analysis of security flaws. As cyber threats continue to proliferate, the ability to swiftly identify and mitigate vulnerabilities is paramount in safeguarding organizations against potential cyber attacks and data breaches.