NIST cuts down CVE analysis amid vulnerability overload
4 hours ago
- #vulnerability management
- #cybersecurity
- #NIST
- NIST will prioritize enrichment for CVEs listed in CISA's KEV catalog and other high-priority software, aiming to process them within one business day.
- Due to a backlog of over 30,000 CVEs and a 263% increase in submissions (2020-2025), NIST will label most CVEs as 'not scheduled' and forego enrichment for non-critical ones.
- The agency plans to use AI, large language models, and automation to handle rising CVE volumes, with potential delegation to CVE Numbering Authorities (CNAs).
- AI-driven vulnerability discovery (e.g., Anthropic's Mythos) is contributing to a surge in CVEs, with predictions exceeding 50,000 in 2026 and possibly reaching 100,000.
- Security leaders face challenges in inventory management and patching, as software classification under NIST's priority list remains vague and patch volumes increase.