The National Institute of Standards and Technology (NIST) has announced a fundamental shift in how the National Vulnerability Database (NVD) operates, acknowledging that the sheer volume of new cybersecurity threats has outpaced the agency’s capacity for manual analysis. Speaking at the VulnCon26 conference in Scottsdale, Arizona, on April 15, 2026, NIST computer scientist Harold Booth revealed that the NVD is transitioning to a "risk-based approach" to manage a record-breaking backlog of Common Vulnerabilities and Exposures (CVEs). This move marks one of the most significant structural changes to the US government’s primary vulnerability repository since its inception, signaling a departure from the goal of providing comprehensive enrichment for every reported software flaw.
The NVD serves as the world’s most critical repository of standards-based vulnerability management data, synchronized with the CVE list. For decades, it has provided "enrichment"—the process of adding essential metadata such as Common Platform Enumeration (CPE) names, Common Weakness Enumeration (CWE) classifications, and Common Vulnerability Scoring System (CVSS) scores. This data allows organizations to automate their patch management and risk assessment processes. However, Booth admitted that the "record growth" of reported vulnerabilities has created a gap that the agency can no longer bridge using traditional methods.
The Shift to a Risk-Based Enrichment Model
Under the newly unveiled operational framework, NIST will no longer attempt to enrich every CVE submitted to the database. Instead, data analysts will prioritize vulnerabilities based on their potential impact on national security and public safety. This prioritization will focus on three primary categories: software utilized by the US federal government, "critical software" as defined by Executive Order 14028 (the 2021 directive on Improving the Nation’s Cybersecurity), and vulnerabilities included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.
"CVE reporting keeps increasing—and trust me, at the NVD, we see them all—and our ability to keep up is just not there, so our backlog keeps increasing too," Booth told the audience at VulnCon26. The practical result of this backlog is a "bold move" to drop routine enrichment for all currently unenriched vulnerabilities reported before March 1, 2026. While all submitted CVEs will still be listed in the NVD to ensure they are discoverable, those that do not meet the new priority criteria will be relegated to a "Not Scheduled" status.
Booth emphasized that the goal is efficiency rather than abandonment. "Vulnerabilities are a way for an attacker to gain access to a system that they should not, and we want to close those holes as quickly, efficiently, and effectively as possible," he explained. "We want to focus on the ones that are important, not the ones that are unimportant." For organizations that require enrichment for a specific "Not Scheduled" vulnerability, NIST has established a request process via email, though processing these requests will likely remain subject to resource availability.
The Statistical Reality of the CVE Explosion
The decision to overhaul NVD operations is supported by stark data regarding the trajectory of software vulnerabilities. According to a NIST statement released alongside Booth’s presentation, CVE submissions surged by 263% between 2020 and 2025. This exponential growth has placed an unsustainable burden on the human analysts responsible for manual enrichment.
In 2025, the NVD team reached a milestone by enriching nearly 42,000 CVEs, a 45% increase over any previous year. Despite this record-setting productivity, the team fell further behind as the rate of new submissions accelerated. The first three months of 2026 saw submission volumes nearly 33% higher than the same period in 2025. Industry forecasts suggest the trend is only worsening. The Forum of Incident Response and Security Teams (FIRST) recently predicted that 2026 would see at least 50,000 additional CVEs.
Other industry experts offer even more dire projections. Jerry Gamblin, a principal engineer at Cisco Threat Detection & Response, has forecasted that the total number of CVEs could reach 70,135 by the end of 2026. If realized, this would represent a staggering 45.6% growth rate compared to the 48,171 vulnerabilities recorded in 2025. This volume represents a "new normal" that traditional government staffing and manual workflows are not equipped to handle.
Chronology of an Operational Crisis
The crisis facing the NVD did not emerge overnight, but rather built up over several years of technological shifts.
- 2020–2023: The baseline for CVE reporting begins to climb steadily as bug bounty programs become mainstream and automated scanning tools become more sophisticated.
- May 2021: Executive Order 14028 is signed, tasking NIST and CISA with defining "critical software" and hardening the software supply chain, effectively increasing the scrutiny on vulnerability reporting.
- February 2024: Industry observers begin noting a significant slowdown in NVD enrichment activities, leading to a public outcry from cybersecurity professionals who rely on the data for automated tools.
- 2025: NIST achieves record enrichment numbers (42,000 CVEs) but realizes that even peak performance cannot match the incoming tide of data.
- February 2026: FIRST and independent analysts release record-breaking forecasts for the year ahead, citing the influence of AI in vulnerability discovery.
- April 15, 2026: NIST officially announces the pivot to a risk-based model at VulnCon26, acknowledging the necessity of triage.
The AI Factor: Automated Discovery and the CPE Surge
A significant driver of the current surge is the advent of generative AI and large language models (LLMs) specialized in cybersecurity. Booth acknowledged that his team has faced a particular explosion in Common Platform Enumeration (CPE) identifiers, which are used to uniquely identify hardware and software products. This growth is largely attributed to new vulnerability discovery tools based on LLMs.
The release of advanced models like Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber has fundamentally altered the landscape. These models are capable of autonomously scanning source code, identifying potential flaws, and even drafting proof-of-concept exploits at a scale human researchers cannot match. While these tools promise to help defenders find and fix bugs before they are exploited, they also empower a wider range of actors to flood the CVE system with reports, many of which may be of marginal severity or "noise."
The result is a "data swamp" where critical, high-impact vulnerabilities are buried under thousands of low-risk or theoretical flaws. By adopting a risk-based approach, NIST is effectively trying to filter this AI-generated noise to ensure that human analysts are spending their time on the vulnerabilities that pose a genuine threat to infrastructure and government operations.
New Rules for CVSS Scoring and Analysis Standards
Beyond prioritization, NIST is also changing how it handles the technical details of CVEs. In an effort to reduce redundant work, the NVD will no longer provide its own CVSS (Common Vulnerability Scoring System) scores for vulnerabilities that have already been scored by a recognized submitting authority, such as a CVE Numbering Authority (CNA). NIST will only step in to provide a separate score if its analysts determine that the initial score is significantly misaligned with the actual risk.
Furthermore, the NVD is tightening its policy on re-analyzing modified CVEs. In the past, updates to a vulnerability entry often triggered a full re-review. Moving forward, NIST will only re-analyze modified entries if the changes materially impact the enrichment data—such as changing the affected software versions or the fundamental nature of the exploit.
To improve transparency, NIST has also updated its status labels. The "Deferred" status, which many in the industry found ambiguous, has been retired. It is replaced by the "Not Scheduled" label, which explicitly indicates that the NVD does not intend to enrich the CVE unless a specific request is made or the vulnerability’s priority changes. A comprehensive document explaining these new labels and the NVD workflow has been published on the NIST website to assist stakeholders in navigating the updated system.
Industry Implications and the Future of Vulnerability Management
The cybersecurity community’s reaction to NIST’s announcement has been a mix of pragmatism and concern. While many experts acknowledge that NIST’s resources are finite, the "enrichment gap" creates significant hurdles for the private sector. Most modern vulnerability scanners and Security Operations Center (SOC) tools rely on NVD enrichment to function. If a CVE lacks CPE data, automated tools may fail to identify that a specific piece of software in an organization’s inventory is vulnerable.
This shift places a greater burden on CNAs—typically software vendors and security researchers—to provide high-quality, accurate data at the time of submission. It also accelerates the need for decentralized enrichment efforts. Programs like the CISA-led Authorized Data Publisher (ADP) initiative, which allows trusted third parties to contribute enrichment data directly to the NVD, are expected to become more central to the ecosystem.
Ultimately, the NVD’s transition reflects a broader reality in the digital age: the volume of code being produced, and the speed at which it is being analyzed by both man and machine, has reached a point where total oversight is no longer possible. NIST’s move to a risk-based model is a strategic retreat to a more defensible position, focusing government expertise where it is most needed while signaling to the rest of the industry that the era of "universal enrichment" has come to an end. Organizations must now prepare for a future where vulnerability management requires more sophisticated, internal triage and a decreased reliance on a single, centralized government source for all security metadata.
