How data processing delays, inaccuracies, and systemic challenges in the National Vulnerability Database are impacting security teams and what you can do about it.
When security professionals make critical patching decisions, they often turn to the National Vulnerability Database (NVD) to make critical patching decisions, but here's an uncomfortable truth: nearly 70% of CVEs added to NVD between February and September 2024 were awaiting analysis, missing crucial context like affected products and severity scores.
This isn't just a statistical problem; it's an ongoing crisis that's undermining our collective security posture.
The Foundation: Understanding NVD and the CVE Ecosystem
Before diving into the problems, it's important to understand how the vulnerability reporting ecosystem actually works and where NVD comes into play. NVD, maintained by NIST (National Institute of Standards and Technology), is often viewed as a central source for vulnerability intelligence, but it operates separately from the CVE Program.
While CNAs (CVE Numbering Authorities) publish basic vulnerability information to the CVE list, NVD takes that information and enriches it with additional context: severity scoring, lists of affected products, and detailed vulnerability classifications.
This enrichment process is what makes NVD so valuable and what makes its current gaps so problematic.
What's Happening: Thousands of Backlogged CVEs
Data Processing Delays and Scalability Concerns
The most visible problem is the massive backlog that began accumulating in early 2024 due to processing delays. Of the CVEs added to NVD in the past year, around 44% have an "awaiting analysis" status. These entries lacked the enriched data that security teams depend on: no affected product lists, no CVSS scores, and no actionable intelligence.
In the past couple of decades, the cybersecurity industry has exploded in size and complexity, but the systems designed to track vulnerabilities haven't kept pace. This raises questions about whether the current infrastructure can handle the volume of vulnerabilities being discovered today, let alone tomorrow.
Resource Constraints and Funding Uncertainty
NIST has faced significant resource constraints, including staff shortages, internal restructuring, and around a 12% budget cut last year. Meanwhile, MITRE’s government contract for the CVE program was set to expire in April 2025 without immediate renewal. At the last minute, CISA decided to step in and maintain funding continuity for the following year.
Broader Impact
Security Vendors and Tools
Many security products, vulnerability scanners, and management tools rely on NVD as their primary data source. When NVD has incomplete or incorrect information, these downstream tools inherit the same problems. Security providers must either accept degraded data quality or invest resources in finding and integrating alternative sources.
Admins and Security Teams
Teams using CVSS scores for prioritization can't function effectively when scores are missing. Vulnerability triage slows down when critical context is unavailable. Most importantly, the fundamental goal: protecting organizations from threats, becomes harder to achieve.
Overall Security Risk
At the macro level, delays and inaccuracies in vulnerability information create gaps in security posture across the entire industry. When critical vulnerabilities aren't properly categorized or when fix information is incorrect, the window of exposure extends far longer than it should.
Here are a couple of examples of CVEs where additional research and enrichment were required by our research team in order to surface the vulnerability.
CVE-2024-6604:
Consider CVE-2024-6604, a Mozilla vulnerability that illustrates the dangers of inaccurate NVD data. The description clearly stated that upgrading to Firefox version 128 would resolve the security issue.
However, NVD's "Known Affected Software Configurations" section incorrectly listed the vulnerability as affecting Firefox versions "up to excluding 126.0" meaning administrators who followed NVD guidance and upgraded to version 126 or 127 would still be vulnerable.
This record was analyzed in April 2024 and currently remains incorrect, demonstrating that these aren't just temporary delays but persistent accuracy problems that could leave organizations exposed.
CVE-2025-6554:
Another example, CVE-2025-6554 affecting Google Chrome, highlights the lapse in OS-specific information. Initially, NVD analysis showed only one version range without specifying operating systems.
2 weeks later:
It took nearly 2 weeks for a re-analysis to add the crucial detail that different Chrome versions were affected on Windows (138.0.7204.96) versus Mac and Linux (138.0.7204.92) in the software configurations section, while the description remained unchanged.
During those 2 weeks, Mac and Linux administrators lacked the specific information needed to determine their actual exposure and take appropriate action.
Moving Forward: Practical Alternatives and Solutions
Enhanced Vulnerability Databases
OSV.dev is an open-source vulnerability database maintained by Google, complete with vulnerability scanners, remediation tools, and APIs. The open-source nature provides transparency and community oversight that government-managed databases sometimes lack.
VulnCheck provides both community and paid features, including "NVD++", an enhanced version of NVD data that's verified and enriched with additional sources. They also maintain exploit databases and knowledge bases that provide context beyond basic vulnerability information.
Vulnerability-Lookup represents an interesting international approach, co-funded by the EU and Luxembourg's cybersecurity agency. It consolidates data from NVD, CVE lists, and additional sources like Red Hat, providing a more comprehensive view.
Vendor Advisories
Often, the most accurate and timely information comes directly from vendors. Companies like JetBrains, Mozilla, and Microsoft maintain their own security advisories that frequently contain more detailed and accurate information than centralized databases.
Microsoft provides RSS feeds for its security updates, allowing teams to get real-time notifications when new security information becomes available.
Data-Driven Prioritization
When traditional CVSS scores aren't available, alternative metrics can guide prioritization decisions:
CISA's Known Exploited Vulnerabilities (KEV) Catalog tracks vulnerabilities with confirmed exploitation in the wild. If a vulnerability appears in the KEV catalog, it should be treated as high priority.
The Exploit Prediction Scoring System (EPSS) uses statistical modeling to predict the probability of exploitation within the next 30 days. EPSS scores are dynamic and can change as threat intelligence evolves.
Going Beyond NVD: How Kandji Vulnerability Management Enriches and Corrects Vulnerability Data
Kandji Vulnerability Management (VM) uses NVD data as a starting point but goes further by actively enriching and verifying that information in response to ongoing delays and inconsistencies. Kandji VM is built on the understanding that vulnerability intelligence is only useful when it is accurate, timely, and actionable. Kandji Threat Intelligence enriches CVEs that remain in NVD’s “awaiting analysis” state with essential context.
When NVD records contain inaccuracies, such as incorrect version ranges or missing OS-specific information, our security team works to correct and clarify that data quickly. This ensures that admins and security teams are not left relying on incomplete or misleading records when making patching decisions.
With Kandji Vulnerability Management, teams can identify, prioritize, and remediate vulnerabilities without being held back by external data delays.
The NVD is Not the End-All, Be-All
The National Vulnerability Database has served the cybersecurity community well for many years, but it's facing challenges that require both short-term workarounds and long-term solutions. The backlog, accuracy issues, and systemic scalability problems aren't going away without significant changes.
This doesn’t mean abandoning NVD, but it does mean building resilience around it.
The immediate lesson is clear: diversify your vulnerability intelligence sources. Don't let NVD bottlenecks slow down your security response. Build processes that can function effectively with multiple data sources, verify critical information, and prioritize vendor-direct communications for your most important assets.
The more places you look for vulnerability information, the better picture you get. In an environment where accurate, timely data can mean the difference between a successful patch cycle and a security incident, that comprehensive view is pivotal.
The future of vulnerability management isn't about finding the perfect database; it's about building robust processes that can deliver accurate, actionable intelligence regardless of which individual sources face challenges.