Vulnerability Backlog: NIST’s CVE Triage Gambit Exposes Prioritization Dilemma

The cyber world is groaning under the weight of a vulnerability avalanche - and the National Institute of Standards and Technology (NIST) is waving the white flag of pragmatism. In a dramatic operational pivot, NIST is now triaging which software flaws get its coveted “enrichment” treatment in the National Vulnerability Database (NVD), a move that could reshape how defenders and attackers alike navigate the ever-expanding minefield of digital weaknesses.

Fast Facts

• NIST will now prioritize detailed NVD enrichment for vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog and critical software used by federal agencies.
• Submissions of new Common Vulnerabilities and Exposures (CVEs) have surged 263% from 2020 to 2025, overwhelming existing processes.
• Entries outside the prioritized categories will be marked “Not Scheduled” for enrichment, though details can still be requested by users.
• Backlogged CVEs published before March 1, 2026, will be officially moved to the “Not Scheduled” category.
• NIST will no longer provide its own severity scores for CVEs already scored by their respective CVE Numbering Authority.

For years, NIST has strived to provide detailed analysis - known as “enrichment” - for every CVE cataloged in the NVD. But the numbers tell a story of a system buckling under exponential growth: a 263% rise in submissions in just five years, with 2026 already outpacing last year by a third. Last year alone, NIST enriched 42,000 vulnerabilities. Still, the backlog ballooned, threatening the value and timeliness of the NVD as a public resource.

The new approach is unapologetically risk-driven. Only CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, or that affect critical or federally used software, will get fast-tracked for enrichment - typically within a day of submission. The rest? They’re consigned to a new “Not Scheduled” status, effectively deprioritized unless a user specifically requests more information.

NIST argues this is a necessary response to the “surge” and a step toward long-term sustainability, including the development of automated enrichment tools. Yet, this triage introduces a seismic shift in how the security community consumes vulnerability intelligence. While all CVEs will still be listed in the NVD, many will lack crucial context or analysis, raising concerns about blind spots for defenders and opportunities for malicious actors.

Transparency is now a guiding principle: NIST will refresh CVE status labels and descriptions to clarify what has and hasn’t been enriched. The institute also announced it will no longer override severity ratings provided by official CVE Numbering Authorities, nor will it reanalyze entries unless changes are material. The hope is that these measures will allow NIST to focus on the vulnerabilities that pose the greatest systemic risk, rather than drowning in sheer volume.

As the vulnerability deluge shows no sign of ebbing, NIST’s high-stakes gamble may mark the beginning of a new era - one where prioritization, automation, and user engagement become as critical as the vulnerabilities themselves. The security world will be watching to see if this strategy fortifies the front lines or leaves dangerous gaps in our collective defenses.

WIKICROOK

• CVE (Common Vulnerabilities and Exposures): A CVE is a unique public identifier for a specific security vulnerability, enabling consistent tracking and discussion across the cybersecurity industry.
• NVD (National Vulnerability Database): The National Vulnerability Database (NVD) is the U.S. government’s official source for publicly disclosed software vulnerabilities and related security information.
• Enrichment: Enrichment is the process of adding context, severity, and remediation details to basic cybersecurity data, making it more useful for analysis and response.
• CISA KEV (Known Exploited Vulnerabilities): CISA KEV is a catalog of software and hardware vulnerabilities actively exploited, helping organizations prioritize patching to defend against real-world cyber threats.
• CVE Numbering Authority: A CVE Numbering Authority assigns unique CVE IDs to vulnerabilities and shares initial details, ensuring consistent and transparent vulnerability disclosure.