NIST Gives Up on Enriching Most CVEs — And the Foundation of Cybersecurity Cracks

If you work in security, the past few nights have probably been rough. The National Vulnerability Database — NIST’s NVD, the de facto global reference for software vulnerabilities — has officially conceded it can no longer analyze most incoming CVEs. This is not a minor service degradation. It’s the quiet collapse of a two-decade-old model, and the replacement is not ready.

What the NVD Actually Did for You

Every vulnerability gets a CVE ID — a string like CVE-2025-12345. By itself, that number tells you almost nothing. How severe is it? Which products are affected? How is it exploited? Blank.

The NVD filled that blank. NIST analysts attached CVSS scores, CPE lists (the exact products hit), and CWE categories to every entry. The industry calls this enrichment. Vulnerability scanners, SBOM tools, compliance pipelines, SOAR playbooks — almost every automated security product on earth quietly assumed this data would be there.

Now NIST has said, in effect: for most CVEs, it won’t be.

How We Got Here

The cracks showed up in early 2024. NIST’s backlog ballooned into the tens of thousands as CVE volume exploded and staffing didn’t. By 2026, annual CVE issuance has blown past 40,000, and NVD’s throughput never kept pace.

Three forces drove the collapse.

Budget stasis. NVD funding has been flat for years while CVE volume grows 20–30% annually. A 2024 contract hiccup briefly froze the program entirely, and trust never fully recovered.

CNA proliferation. GitHub, the Linux Foundation, and hundreds of vendors can now issue CVEs themselves. Supply exploded. The single downstream bottleneck — NIST — did not.

A structural dead end. The idea that one US federal agency could centrally enrich every software vulnerability on the planet was always fragile. It just took until now for the math to fully break.

What Actually Breaks

Tooling that silently depended on NVD enrichment is now returning “severity unknown” and “affected product: unclassified.” The blast radius is wider than most teams realize.

• SBOM-driven automation: matching open-source components to CVEs requires CPE strings. Without them, the match fails.
• Regulatory compliance: frameworks like FedRAMP and PCI-DSS hang patch deadlines on CVSS thresholds (“CVSS ≥ 7 patched within 30 days”). No score, no clean rule.
• Small and mid-size teams: Fortune 500 security orgs run their own analyst benches. A two-person security team at a 500-employee SaaS company does not. They were 100% NVD-dependent.

The snark on Hacker News and in FINOS working groups — rebranding CVE as “Communications Very Erratic” — captures the mood. Enterprise security architects are less amused.

Who Fills the Vacuum

It’s not pure darkness. A federated patchwork is emerging fast.

CISA’s Vulnrichment is the closest thing to a successor. The agency is directly attaching CVSS, CWE, and SSVC decision trees to CVEs, and has already enriched thousands. GitHub Security Advisories has quietly built one of the best open-source vulnerability datasets in existence. OSV, Google’s machine-readable format, is becoming the lingua franca for automated tooling. Commercial vendors — Snyk, Tenable, Qualys, Wiz — are turning their internal enrichment DBs into a paid differentiator.

The problem isn’t whether alternatives exist. It’s that replacing one hub with five shards guarantees inconsistency. The same CVE now carries different CVSS scores depending on who scored it. Information asymmetry widens. And the organizations best equipped to navigate the fragmentation are the ones that were already fine — the ones that could afford commercial feeds. Everyone else inherits the noise.

What to Do This Week

If you own vulnerability management, a few concrete moves are overdue.

Go multi-source. Reconfigure scanners to cross-reference CISA KEV, GitHub Advisory, OSV, and vendor advisories — not just NVD. Treat NVD as one input, not the input.

Re-weight your prioritization. CVSS is becoming sparser and staler. Lean harder on signals that actually predict risk: CISA KEV listing (confirmed in-the-wild exploitation) and your own exposure data. A “critical” with no real-world exploitation may matter less than a “medium” that’s actively being weaponized.

Contribute upstream. The uncomfortable lesson of this episode is that vulnerability data is a public good that no single government was ever going to fund indefinitely. Every CPE mapping contributed to OSV or Vulnrichment is load-bearing for someone else’s security program.

The Question That Remains

NIST’s retreat isn’t really a budget story. It’s an admission that the “one agency enriches the world’s vulnerabilities” model has reached end-of-life. The direction forward — distributed, federated, open-source governance — is the right one. The risk is the transition window: how many organizations get breached because a CVE sat unanalyzed while the new system was still booting up.

The honest question for your team isn’t whether NVD comes back. It’s whether your vulnerability program can stand on its own without it.