The National Institute of Standards and Technology (NIST) announced that all CVEs published before January 1, 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD). This means that NIST will no longer prioritize updating NVD enrichment or initial enrichment data for these CVEs unless they are listed in CISA’s Known Exploited Vulnerabilities catalog. A banner will appear on the CVE Detail Pages of deferred entries to indicate this status. NIST emphasized that updates will only occur if new information makes them necessary.
After the announcement, the count of CVEs marked as Deferred quickly grew to 20,000, with a potential for 100,000.
This is because approximately one-third of CVEs in the NVD are older than 2018. NIST’s decision was driven by the need to prioritize newer vulnerabilities amid the growing backlog. The move follows challenges faced by NIST in managing delays with CVE analysis, which has led to a growing backlog of CVE entries.
NIST has been working to address the backlog for over a year, seeking outside help and developing new systems. Initially, NIST had expected to clear the backlog by the end of fiscal year 2024 but struggled due to inefficiencies in processing incoming data. In November, the institute acknowledged these difficulties and stated that it was working on new systems to improve data processing efficiency.
Despite efforts, NIST revealed last month that a 32% increase in CVE submissions in 2024 had exacerbated the backlog. With submissions expected to continue rising, NIST is now considering adopting AI and machine learning to handle the growing volume of CVEs more effectively.
Reference:
