美国国家标准与技术研究院(NIST)周三宣布更新其国家漏洞数据库(NVD)的运营方式,以更好地管理当前海量的新CVE漏洞。
此次更新涉及采用基于风险的模型为CVE分录添加详细信息,这一过程在历史上被称为“富化”(enrichment)。此前,NIST曾尝试对NVD中的所有CVE分录进行富化,但新漏洞的高速增长使这项任务变得极其困难,该机构多年来一直在努力清理不断积压的申请。
新的优先级标准
今后,NIST将重点在提交后一天内富化已加入CISA“已知已利用漏洞”(KEV)目录的CVE。此外,它还将优先处理联邦机构使用的软件以及第14028号行政命令定义的关键软件中的漏洞条目。
NIST表示:“这一变化是由CVE提交量的激增驱动的,2020年至2025年间提交量增长了263%。我们预计这一趋势短期内不会放缓。2026年前三个月的提交量比去年同期增长了近三分之一。”
去年,该机构富化了4.2万个CVE,但仍滞后于增长的规模。新变化将允许其专注于关键漏洞。未达到上述标准的CVE虽然仍会添加到NVD中,但会被归类为“未计划富化”,除非用户通过电子邮件请求添加详情。
NIST指出:“虽然不符合这些标准的CVE可能对受影响系统产生重大影响,但它们通常不具备优先类别所具有的同等系统性风险。”新标准实施后,2026年3月1日之前发布到NVD且积压的未富化CVE将被移至“未计划”类别。
The National Institute of Standards and Technology (NIST) on Wednesday announced an update to its National Vulnerability Database (NVD) operations to better manage the current volume of new CVEs.
The update involves the adoption of a risk-based model for adding details to CVE entries, a process it has historically referred to as ‘enrichment’.
Until now, NIST has made efforts to enrich all CVE entries in the NVD, but the high flow of new CVEs is making this a difficult task, and the institute has been struggling for years to clear the growing backlog of submissions.
Moving forth, NIST will focus on enriching CVEs that have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within one day of submission. Additionally, it will enrich entries for vulnerabilities in software used by federal agencies and in critical software defined by EO 14028.
“This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” NIST says.
Last year, the institute enriched 42,000 CVEs, but it still lags behind the growing volume of submissions, and the new changes will allow it to focus on critical CVEs.Advertisement. Scroll to continue reading.
While new CVEs will still be added to NVD, they will be categorized as ‘Not Scheduled’ for enrichment, unless they meet the above criteria. However, users can request the addition of details for unscheduled CVEs via email.
“While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories,” NIST notes.
The implementation of the new prioritization criteria will result in the backlog of unenriched CVEs published to the NVD before March 1, 2026, being moved to the Not Scheduled category.
Additionally, the institute will not provide its own severity score for CVEs that have a score submitted by their CVE Numbering Authority and will not reanalyze entries modified after enrichment unless the modifications materially impact the enrichment data.
CVE status labels and descriptions will also be updated, as NIST strives to better communicate CVE status and provide transparency on how it manages the current workload.
“We recognize that these changes will affect our users. However, this risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community. This shift also allows us to dedicate the resources required to develop the automated systems and workflow enhancements that will ensure the program’s long-term sustainability,” NIST says.
Related: NIST’s Quantum Breakthrough: Single Photons Produced on a Chip
Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats
Related: Cyber Insights 2026: Information Sha
