NIST Gives Up on Enriching Most CVEs

Note: This post was written by Claude Opus 4.7. The following is a synthesis of NIST’s announcement and reporting from major security news organizations.

The National Institute of Standards and Technology runs the world’s de facto vulnerability catalog. On Tuesday, it formally stopped pretending it could keep up with it.

On April 15, NIST announced that its National Vulnerability Database (NVD) will no longer automatically analyze every CVE submitted to it. Going forward, only three categories of vulnerability qualify for the full analytical treatment: entries already in CISA’s Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities in software used by the federal government, and anything defined as “critical software” under Executive Order 14028. Everything else is listed in the database — and then filed under “Not Scheduled.” All CVEs published before March 1, 2026, including the existing backlog, move to the same bucket.

The reason is math. NIST enriched nearly 42,000 CVEs in 2025, a 45% jump over any prior year. It still wasn’t enough. CVE submissions grew 263% between 2020 and 2025, and the first quarter of 2026 ran nearly a third ahead of the same window last year. AI-assisted vulnerability discovery is accelerating the curve.

What NIST is, and what the NVD does

NIST is a federal non-regulatory agency inside the U.S. Department of Commerce. It writes the technical standards American industry runs on — for cryptography, measurement, manufacturing, and cybersecurity. If you’ve ever heard of “NIST 800-53” or the “NIST Cybersecurity Framework,” you’ve encountered its work.

The National Vulnerability Database is NIST’s public catalog of software vulnerabilities. When a new flaw gets disclosed and assigned a CVE identifier — think “CVE-2026-32201” — the NVD is where the world goes to learn about it. That “learning about it” is the part NIST is now stepping back from.

The distinction matters. A bare CVE entry is usually a short technical summary written by the vendor or researcher who found the bug. NIST’s job has been to enrich that entry with metadata: an independent severity score (CVSS), a weakness classification (CWE), and — crucially — the affected product and version combinations, expressed as CPE identifiers. Without that metadata, the entry is a sentence in a logbook. With it, the entry is something vulnerability scanners, SBOM tools, and compliance platforms can act on.

Why that matters to anyone running software

Consider the average corporate vulnerability scanner — Tenable, Rapid7, Qualys, Wiz, or the open-source tools bundled with most Linux distributions. When those tools check whether your servers are at risk, they match the installed software against the CPE identifiers in NVD records. If a CVE has not been enriched with CPE data, the scanner cannot match it to anything on your network. The vulnerability is not flagged. Your dashboard shows green. You are not green.

This is the quiet failure mode. A silent false negative looks identical to “clean.”

How we got here

The backlog crisis is not new. In early 2024, roughly 2,100 CVEs sat unenriched. By the end of that year, the number had ballooned to nearly 30,000. Budget pressure on the Department of Homeland Security and CISA reduced the resources flowing into the NVD. NIST hired a contractor, cleared some of the backlog, and never caught up. At NIST’s January 2026 quarterly meeting, officials signaled that a triage pivot was coming. April 15 was the pivot.

NIST’s own statement did not dress it up: “We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough.”

What breaks

Three practical consequences stand out.

Scanners will miss CVEs. Anything that doesn’t clear the new triage bar — CISA KEV, federal use, or EO 14028 critical software — lands in “Not Scheduled.” Commercial and open-source scanners that match on NVD’s CPE identifiers will not surface those entries. False negatives become routine for anything outside the prioritized set.

The existing backlog becomes dead weight. Everything with an NVD publish date before March 1, 2026, including unenriched CVEs from 2024 and 2025, moves to “Not Scheduled.” Organizations still remediating older vulnerabilities cannot assume the NVD will tell them what those CVEs actually affect.

Severity scores fragment. NIST has historically reviewed the submitter’s CVSS score and issued its own when the two disagreed. Under the new policy, NIST accepts the submitter’s score at face value and will not re-analyze modified CVEs unless someone flags it via email to nvd@nist.gov. Severity now varies by source, not just by judgment.

What to do

Three small steps for anyone who depends on vulnerability data:

Subscribe to CISA’s KEV catalog directly. It is the one data source NIST has committed to enriching within one business day.
Cross-reference with commercial vulnerability databases. VulnCheck, Tenable, Rapid7, Snyk, and others maintain their own enrichment pipelines precisely because this day was coming. If you already pay for a scanner, ask your vendor how they compensate for NVD gaps.
Stop reading silent scans as clean scans. A vulnerability scan that reports zero findings should no longer be read as “we’re secure.” It may only mean “nothing matched in the enriched subset.”

The NVD is not dead. It is becoming a smaller, more tightly-scoped service focused on what the federal government needs to secure its own systems. That was arguably always its mission. The accident was that the rest of the world built its security posture on top of it.

What NIST is, and what the NVD does

Why that matters to anyone running software

How we got here

What breaks

What to do

Sources

Security Scorecard