Digital illustration of CVE vulnerability flood overwhelming cybersecurity infrastructure

Your vulnerability scanner just detected 47 new CVEs overnight. Normally, you would check the National Vulnerability Database (NVD) for severity scores, impact analysis, and remediation guidance. But this morning, half of those CVEs show a status you have never seen before: "Not Scheduled."

Welcome to the new reality of vulnerability management. On April 15, 2026, NIST dropped a bombshell that is reshaping how every security team in the world prioritizes threats. After years of struggling to keep pace with an explosion of disclosed vulnerabilities, the National Institute of Standards and Technology has officially admitted defeat. They can no longer analyze every CVE.

The numbers are staggering. CVE submissions surged 263% between 2020 and 2025. The first three months of 2026 saw submissions one-third higher than the same period last year. Despite enriching a record 42,000 CVEs in 2025 - 45% more than any prior year - NIST is drowning in the flood.

This is not just a bureaucratic backlog. This is a fundamental shift in how the cybersecurity industry manages risk. And if your vulnerability management program relies on NVD enrichment data, you need to adapt immediately.

What NIST Actually Changed (And Why It Matters)

The New Prioritization Criteria

Starting April 15, 2026, NIST will only "enrich" CVEs that meet one of three specific criteria:

1. CISA KEV Catalog Entries
CVEs appearing in CISA's Known Exploited Vulnerabilities catalog get top priority. NIST aims to enrich these within one business day of receipt. These are vulnerabilities with confirmed active exploitation in the wild - the threats that are already burning down systems somewhere.

2. Federal Government Software
CVEs affecting software used within the federal government. This prioritization reflects NIST's mandate to support federal cybersecurity, but it also means enterprise software not used by the government may go unenriched.

3. Critical Software (EO 14028)
CVEs affecting software classified as "critical" under Executive Order 14028. This includes software designed to run with elevated privilege, having privileged access to networking or computing resources, controlling access to data or operational technology, or operating outside normal trust boundaries.

Everything else gets categorized as "Not Scheduled" - still listed in the NVD, but without the detailed analysis, severity scoring, and product enumeration that security teams have relied on for years.

Additional Operational Changes

NIST is not just limiting enrichment. They are fundamentally changing how the NVD operates:

No More Duplicate Severity Scores
Previously, NIST provided its own CVSS scores even when CVE Numbering Authorities had already scored vulnerabilities. Going forward, they will rely on CNA-provided scores, eliminating this redundancy.

Modified CVE Reanalysis
The previous policy of reanalyzing all modified CVEs is gone. Now NIST will only reanalyze when modifications "materially impact" the enrichment data. This means changes that do not fundamentally alter the vulnerability's nature may go unreviewed.

The Backlog Bomb
All unenriched CVEs with an NVD publish date earlier than March 1, 2026, are being moved to "Not Scheduled" status. This represents thousands of vulnerabilities that were queued for analysis but will now never receive NIST enrichment.

Why This Is Happening Now

The Vulnerability Explosion

The 263% surge in CVE submissions since 2020 tells a clear story. Software is eating the world, and vulnerabilities are eating software. Several factors are driving this explosion:

Increased Security Research
The bug bounty economy has matured. Security researchers worldwide are hunting vulnerabilities full-time. Tools for automated vulnerability discovery have become more sophisticated and accessible. What once required weeks of manual analysis now happens in hours.

Expanding Attack Surface
Every IoT device, cloud service, mobile app, and AI system adds new code - and new vulnerabilities. The software supply chain has grown exponentially complex. A single modern application may depend on hundreds of open-source libraries, each with its own potential vulnerabilities.

Improved Disclosure Practices
The stigma around vulnerability disclosure has diminished. Organizations are more willing to report and catalog security flaws. While this transparency is positive for security overall, it creates an overwhelming volume of data to process.

AI-Assisted Discovery
Here is where it gets particularly relevant to our readers. AI systems like Anthropic's Claude Mythos are now autonomously discovering vulnerabilities at unprecedented scale. Mythos found thousands of zero-days across every major OS and browser. As more organizations deploy AI for security research, the CVE submission rate will likely accelerate further.

Resource Constraints

NIST has been transparent about the resource challenge. They enriched 42,000 CVEs in 2025 - a record - and it still was not enough. The agency has repeatedly pledged to clear the backlog but admitted defeat on April 15, 2026.

The reality is that manual CVE enrichment does not scale. Each vulnerability requires human analysts to research affected products, determine severity, analyze impact, and document remediation guidance. With submissions continuing to accelerate, the gap between what's disclosed and what's analyzed will only widen.

What This Means for Enterprise Security Teams

The End of Complete Visibility

For two decades, security teams could rely on the NVD as a comprehensive source of vulnerability intelligence. If a CVE existed, NIST would eventually enrich it with the context needed for prioritization. That guarantee is now gone.

Your vulnerability scanner will still detect CVEs. But for an increasing percentage of them, you will not have NVD enrichment data to guide your response. No CVSS score from NIST. No detailed product enumeration. No official impact analysis.

This creates a dangerous blind spot. Vulnerabilities marked "Not Scheduled" are not necessarily low-risk. They simply did not meet NIST's new prioritization criteria. A critical vulnerability in enterprise software not used by the federal government could go unenriched indefinitely.

Increased Reliance on Commercial Sources

Organizations will increasingly need to supplement NVD data with commercial vulnerability intelligence feeds. Vendors like VulnCheck, Flashpoint, and Recorded Future already provide enriched vulnerability data beyond what's in the NVD. Expect demand for these services to surge - along with their prices.

The Rise of Risk-Based Triage

NIST's shift to prioritization criteria mirrors what sophisticated security teams have already been doing: risk-based vulnerability management. Rather than treating all CVEs equally, organizations must develop their own prioritization frameworks based on:

The Patch Gap Problem

The New York Times recently highlighted an emerging concern: the "reverse-engineered exploit" or "patch gap." Once a vulnerability is disclosed and patched, attackers can analyze the patch to understand the vulnerability and develop exploits. Historically, this affected one or two patches at a time. Now, with AI systems discovering vulnerabilities at scale, we face hundreds or thousands of simultaneous patch gaps.

NIST's inability to enrich all CVEs exacerbates this problem. Security teams may not have the context needed to prioritize patching, extending the window of exposure for critical vulnerabilities.

How to Adapt Your Vulnerability Management Program

1. Diversify Your Intelligence Sources

Do not rely solely on the NVD. Supplement with:

2. Implement Risk-Based Prioritization

Develop your own prioritization framework that goes beyond CVSS scores. Consider:

3. Automate Where Possible

Manual vulnerability management cannot scale to meet the current threat landscape. Invest in:

4. Focus on What Matters

With limited resources, ruthless prioritization is essential:

5. Build Internal Expertise

With NIST providing less enrichment, your team will need to do more analysis internally:

The Bigger Picture: What This Signals

NIST's decision is a canary in the coal mine for the cybersecurity industry. It signals several uncomfortable truths:

The Current Model Is Unsustainable

Manual analysis of every disclosed vulnerability cannot scale to meet the current pace of discovery. The industry needs new approaches - likely involving AI and automation - to handle the volume.

Fragmentation Is Coming

With NIST no longer providing comprehensive enrichment, we will see fragmentation in vulnerability intelligence. Different organizations will have different views of risk based on their intelligence sources. This creates opportunities for confusion and inconsistency.

AI Is Accelerating Everything

AI systems are discovering vulnerabilities faster than humans can analyze them. This asymmetry will only grow as AI capabilities improve. Defenders need AI-powered tools to keep pace.

Government Priorities Differ from Enterprise Needs

NIST's prioritization criteria favor federal government needs. Critical enterprise software not used by the government may go unenriched. Commercial providers will need to fill this gap - for a price.

FAQ: NIST CVE Enrichment Changes

What is CVE "enrichment" and why does it matter?

Enrichment is the process of adding context to a CVE identifier. Raw CVEs are just IDs assigned to vulnerabilities. Enrichment adds severity scores (CVSS), affected product lists, impact analysis, remediation guidance, and references. Without enrichment, you know a vulnerability exists but lack the context to prioritize it.

Will the NVD go away entirely?

No. The NVD will continue to list all disclosed CVEs. NIST is only stopping the enrichment process for CVEs that do not meet their prioritization criteria. The database will still exist - it will just be less comprehensive.

Can I request enrichment for specific CVEs?

Yes. NIST allows users to request enrichment of unscheduled CVEs by emailing nvd@nist.gov. However, they will review these requests and schedule them "as resources allow." Given the backlog, expect significant delays.

What vulnerabilities are most likely to go unenriched?

Vulnerabilities in software not used by the federal government, non-critical software, and CVEs not actively exploited are most likely to be marked "Not Scheduled." This includes many enterprise applications, specialized industry software, and newly discovered vulnerabilities without confirmed exploitation.

How should I prioritize patches without NVD enrichment?

Focus on:

  1. CISA KEV catalog entries (confirmed active exploitation)
  2. Internet-facing systems
  3. Critical business applications
  4. Vulnerabilities with publicly available exploits
  5. Vendor security advisories marking issues as critical

Are commercial vulnerability feeds worth the cost?

For most enterprise security teams, yes. Commercial feeds provide enrichment for CVEs that NIST will no longer analyze. They also offer additional context like threat actor activity, exploit availability, and industry-specific risk analysis. The cost of a feed is typically far less than the cost of a breach from an unpatched vulnerability.

How does this affect compliance requirements?

Compliance frameworks that reference NVD enrichment may need updates. Organizations should review their compliance obligations and determine if alternative vulnerability intelligence sources satisfy requirements. Expect regulatory guidance on this issue in the coming months.

Will AI make this problem better or worse?

Both. AI systems are discovering vulnerabilities faster than ever, contributing to the submission surge. However, AI can also help analyze vulnerabilities at scale. The industry needs AI-powered enrichment tools that can process CVEs automatically, providing the context that NIST can no longer deliver manually.

What is the "patch gap" and why does it matter?

The patch gap is the window between when a vulnerability is patched and when organizations actually apply the patch. During this window, attackers can reverse-engineer the patch to develop exploits. With more vulnerabilities being discovered and disclosed, the number of simultaneous patch gaps increases, stretching security team resources.

How can smaller organizations with limited resources adapt?

Smaller organizations should:

Conclusion: The New Normal

NIST's decision to limit CVE enrichment is not a temporary measure. It is a permanent acknowledgment that the current vulnerability disclosure and analysis model cannot scale to meet modern demands. The 263% surge in submissions is not a blip - it is the new normal.

For security teams, this means adapting to a world of incomplete information. You will not have NVD enrichment for every CVE. You will need to develop your own prioritization frameworks. You will need to invest in alternative intelligence sources. You will need to accept that some vulnerabilities will go unanalyzed by official channels.

This is challenging, but it is also an opportunity. Organizations that develop sophisticated risk-based vulnerability management programs will have a competitive advantage over those still trying to patch everything. The teams that learn to focus on what matters - actively exploited vulnerabilities, internet-facing systems, critical business assets - will be more effective than those drowning in CVE alerts.

The vulnerability tsunami is here. NIST has shown us that the old defenses cannot hold. It is time to build new ones.

Need help adapting your vulnerability management program? Contact Hexon.bot for a security assessment and customized defense strategy.

Stay ahead of emerging threats. Subscribe to the Hexon.bot newsletter for weekly cybersecurity insights.

Sources: