The National Institute of Standards and Technology (NIST) is still struggling to clear the growing backlog of CVEs in the official national vulnerability database and the problem will only get worse this year.
That’s the gist of a fresh NIST update with an admission that the current pace of processing vulnerabilities is simply not enough to keep up with the surge in submissions.
According to the update, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
“We anticipate that the rate of submissions will continue to increase in 2025,” the institute said, noting that it is exploring the use of AI and machine learning to automate certain processing tasks.
The effects of the backlog are already being felt in vulnerability management circles where NVD data is presented as a source of truth with ongoing triaging and enrichment of data.
Without faster processing of vulnerability data, the gap between reported issues and actionable intelligence has widened and is causing major problems for organizations relying on timely information to protect their systems.
NIST has explained that the NVD’s current workflows and data ingestion systems were designed for lower CVE submission volumes and that outdated formats and manual enrichment procedures created significant bottlenecks.
Despite efforts to bolster staffing, the number of trained analysts and automated tools has not scaled to match the surge in CVE reports.
Related: NIST Explains Why It Failed to Clear CVE Backlog
Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth
Related: Vulnerability Management Fatigue Fueled by Non-Exploitable Bugs
