Full Report
The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. [...]
Analysis Summary
# Vulnerability: Policy Change - NIST Transition to Selective Vulnerability Enrichment
## CVE Details
- **CVE ID**: N/A (Strategic Policy Shift)
- **CVSS Score**: N/A
- **CWE**: N/A
## Affected Systems
- **Products**: National Vulnerability Database (NVD) enrichment pipeline.
- **Versions**: Active as of April 15, 2026.
- **Configurations**: Affects all vulnerabilities submitted to NVD that do not meet high-priority criteria.
## Vulnerability Description
As of April 15, 2026, NIST has officially truncated its vulnerability analysis process due to a 263% increase in submission volume. The NVD will no longer provide independent enrichment—including CVSS severity scores, product lists (CPE), or weakness classifications (CWE)—for vulnerabilities deemed "lower-priority."
NIST will now only enrich vulnerabilities that:
1. Are listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
2. Affect U.S. federal government software.
3. Involve "critical software" as defined by Executive Order 14028.
Vulnerabilities outside these categories will remain in the database with a "Not Scheduled" status, relying solely on the data provided by the originating CVE Numbering Authority (CNA).
## Exploitation
- **Status**: Not applicable (This is a procedural change to vulnerability management).
- **Complexity**: N/A
- **Attack Vector**: N/A
## Impact
- **Confidentiality**: Users may lack centralized data on data exposure risks for niche software.
- **Integrity**: Risk management processes may suffer from incomplete or delayed data regarding system integrity flaws.
- **Availability**: Security teams may face delays in identifying availability-impacting flaws in non-priority software.
## Remediation
### Patches
- Not applicable.
### Workarounds
- **Diversify Data Sources**: Security professionals should supplement NVD data with information directly from vendor advisories and the MITRE Corporation.
- **Request Enrichment**: Organizations can manually request the enrichment of specific CVEs by emailing `nvd[at]nist[dot]gov`.
- **CNA Reliance**: Shift focus to the CVSS scores and metadata provided by the original CVE Numbering Authority (CNA) rather than waiting for NIST verification.
## Detection
- **Indicators of Compromise**: Inaccurate or missing "CPE" (Common Platform Enumeration) strings in vulnerability scanners for newer, non-priority CVEs.
- **Detection Methods**: Monitor vulnerability management tools for a rise in "Not Scheduled" or "Undergoing Analysis" statuses for CVEs that would previously have been analyzed by NIST.
## References
- NIST Official Announcement: hxxps[://]www[.]nist[.]gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth
- Bleeping Computer Article: hxxps[://]www[.]bleepingcomputer[.]com/news/security/nist-to-stop-rating-non-priority-flaws-due-to-volume-increase/