NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities

Staff Editor 2026-04-16
NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities

NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities

https://www.infosecurity-magazine.com/news/nvd-enrichment-premarch-2026/

Publish Date: 2026-04-16 08:43:00

Source Domain: www.infosecurity-magazine.com

The team behind the US National Vulnerability Database (NVD) can’t keep up with the explosion of new reported vulnerabilities, said a top official of the US National Institute of Standards and Technology (NIST), which hosts the database.

Speaking at VulnCon26’s in Scottsdale, Arizona, on April 15, Harold Booth, a NIST computer scientist, said the NVD had to make operational adjustments in how its data analyst enrich vulnerabilities to address the “record growth” of reported common vulnerabilities and exposures (CVEs).

“CVE reporting keeps increasing – and trust me, at the NVD, we see them all – and our ability to keep up is just not there, so our backlog keeps increasing too,” Booth said.

The data analyst will thus shift to a risk-based approach that will guide how they prioritize which CVE to process and enrich first.

This new approach implies bold moves, including the NVD dropping routine enrichment for all currently unenriched vulnerabilities reported before March 1, 2026.

Additionally, the NVD will prioritize enriching vulnerabilities found in software used by the US federal government or in critical software as defined by the Executive Order 14028, published in 2021.

The NVD will also give precedence to vulnerabilities included in the US Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

“All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as ‘Not Scheduled,’” said Booth.

“Vulnerabilities are a way for an attacker to gain access to a system that they should not and we want to close those holes as quickly, efficiently and effectively as possible. We want to focus on the ones that are important, not the ones that are unimportant,” he added.

Users can request enrichment of any unscheduled CVEs by emailing the NVD at [email protected].

The CVE Surge Threatens NVD Capacity

This change is driven by a surge in CVE…

Source

More Stories

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Staff Editor 2026-06-07
DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

Staff Editor 2026-06-07
Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy