Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

NIST limits vulnerability analysis as CVE backlog swells

The agency will stop adding detailed information to vulnerabilities that don’t meet certain criteria.

Published April 16, 2026
Eric Geller's headshot
Senior Reporter
A large entrance sign that reads "Gate A, NIST, National Institute of Standards and Technology, U.S. Department of Commerce" is mounted on a rock base and surrounded by grass and trees. In the background to the left of the sign, there is a commercial building.
The front entrance sign at the Gaithersburg, Md., National Institute of Standards and Technology campus. NIST said this week that it would implement new criteria for its vulnerability work. R. Eskalis/NIST. Retrieved from NIST.

The National Institute of Standards and Technology is changing how it analyzes newly disclosed vulnerabilities as it faces a massive backlog of digital flaws.

Due to “a surge in [cybersecurity vulnerabilities and exposures] submissions,” NIST said on Wednesday, the agency will only perform detailed analyses of CVEs that meet certain criteria, including publication in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, presence in software used in the federal government or presence in “critical software” (as defined in a Biden administration executive order).

NIST will continue to list all disclosed vulnerabilities in its National Vulnerability Database (NVD), but flaws that do not meet any of those criteria will not receive “enrichment,” the agency’s term for detailed analysis.

NIST will also stop providing its own vulnerability severity scores for CVEs that already received scores from their submitting organizations. In addition, NIST will only reevaluate CVEs that are modified after enrichment if it determines that the new information “materially impacts” its original analysis.

The rise of AI-powered vulnerability-detection tools has created a tidal wave of newly disclosed flaws that has overwhelmed digital defenders and maintainers of vulnerability catalogs. In recent years, NIST has struggled to keep up with the volume, creating a large backlog that led the agency to begin rethinking its approach.

The new triage system “will allow us to focus on CVEs with the greatest potential for widespread impact,” NIST said on Wednesday. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

NIST said it enriched “nearly 42,000 CVEs” in 2025, but with disclosure rates skyrocketing — the number of newly reported flaws increased 263% between 2020 and 2025, according to the agency — the agency’s original enrichment plan was no longer sustainable.

In addition to allowing NIST to focus on the most serious vulnerabilities, the new system will allow the agency to “stabilize the [NVD] program while we develop the automated systems and workflow enhancements required for long-term sustainability,” according to the statement.

NIST also said it would stop working on the existing CVE backlog for now. “We will consider enriching those earlier vulnerabilities, applying the new prioritization criteria above, as resources allow,” the agency said.

Editors' picks

Company Announcements

View all | Post a press release
Cobalt Iron Launches Compass Tape Gateway™
From Cobalt Iron
April 15, 2026
Cobalt Iron logo
Oliver Rochford in Collaboration With Daylight Security: The Governance Gap in AI-Driven Secur…
From Jake Smiths
April 15, 2026
Naot Footwear Strengthens Global Brand Protection Through Partnership with BrandShield
From BrandShield
April 13, 2026
BrandShield logo
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell