CVE and Common Vulnerabilities Reference

The Common Vulnerabilities and Exposures (CVE) system is the foundational identification standard for publicly disclosed cybersecurity vulnerabilities across software, firmware, and hardware. This page covers the structure of the CVE program, how vulnerabilities are classified and scored, the regulatory bodies and standards that reference CVE identifiers, and the decision points that determine how organizations prioritize remediation. The CVE system is maintained under the authority of MITRE Corporation through a contract with the Cybersecurity and Infrastructure Security Agency (CISA), making it a federally anchored reference infrastructure for the US security sector.

Definition and scope

A CVE entry is a standardized record that assigns a unique identifier to a specific, publicly known vulnerability in a software or hardware product. The identifier follows the format CVE-[YEAR]-[NUMBER], such as CVE-2021-44228, which designates the Log4Shell vulnerability in Apache Log4j. As of the most recent public disclosures tracked by the NIST National Vulnerability Database (NVD), the NVD hosts over 230,000 CVE records spanning decades of disclosed vulnerabilities.

The scope of the CVE program is bounded by a precise definition: a flaw must be independently fixable, acknowledged by the affected vendor or documented through credible public evidence, and affect a single codebase. Vulnerabilities that span multiple products through shared components may receive distinct CVE identifiers for each affected implementation.

The CVE program is administered by MITRE under sponsorship from CISA (see CISA's CVE program overview). CVE Numbering Authorities (CNAs) — a network of over 400 organizations globally, including major software vendors and national CERTs — are authorized to assign CVE IDs within their defined scope. NIST operates the NVD as a downstream enrichment layer, adding severity scores, weakness classifications, and patch references to raw CVE entries.

Professionals navigating the broader cybersecurity service sector can consult the for context on how vulnerability-related service providers are classified within this reference framework.

How it works

The lifecycle of a CVE record moves through four discrete phases:

1. Discovery and reporting — A vulnerability is identified by a researcher, vendor, or automated scanning tool. The finder reports the issue to the relevant CNA or directly to MITRE if no CNA has jurisdiction.
2. CNA assignment — A CNA with scope over the affected product assigns a CVE ID and creates a minimal record containing the identifier, a brief description, and references. The ID may be reserved before public disclosure to coordinate patching.
3. NVD enrichment — After public disclosure, NIST analysts augment the CVE record in the NVD with a Common Vulnerability Scoring System (CVSS) score, Common Weakness Enumeration (CWE) classification, and Common Platform Enumeration (CPE) applicability data.
4. Catalog ingestion — CISA ingests confirmed exploited CVEs into its Known Exploited Vulnerabilities (KEV) Catalog, which carries federal remediation directives under Binding Operational Directive 22-01.

CVSS scoring is the primary severity quantification mechanism. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS v3.1 produces a base score from 0.0 to 10.0 across three metric groups: Base (intrinsic characteristics), Temporal (exploit maturity and remediation availability), and Environmental (organizational context). A score of 9.0 or above is classified as Critical. CVSS v4.0 was released by FIRST in 2023 and introduced supplemental metrics for safety impact and automatable exploitation.

The Common Weakness Enumeration (CWE), also maintained by MITRE, classifies the underlying software defect type — such as CWE-79 (Cross-site Scripting) or CWE-89 (SQL Injection) — providing a structural taxonomy that links individual CVEs to repeatable vulnerability patterns.

Common scenarios

Federal contractor and agency environments operate under Binding Operational Directive 22-01, which requires all federal civilian executive branch agencies to remediate KEV-verified vulnerabilities within CISA-specified timeframes — typically 2 weeks for critical vulnerabilities and up to 6 months for lower-severity items (CISA BOD 22-01).

Software vendors and product developers engage CVE through the CNA program. A vendor enrolled as a CNA assigns and publishes CVE IDs for vulnerabilities discovered in their own products, controlling the disclosure timeline and coordinating patches before public release.

Enterprise vulnerability management programs consume NVD data through automated scanner integrations. Tools ingest CVE identifiers and CVSS scores to generate prioritized patch queues. The practical challenge is volume: the NVD added more than 25,000 new CVE entries in 2022 alone (NVD Statistics, NIST), making raw score-based prioritization insufficient without additional threat intelligence context such as active exploitation status from the KEV Catalog.

Penetration testing and red team engagements reference CVE identifiers to document specific exploited vulnerabilities in assessment reports, creating a standardized audit trail that maps findings to remediation guidance.

The infosec providers section of this reference provides structured entries for security firms operating in vulnerability assessment, penetration testing, and patch management advisory categories.

Decision boundaries

Not every vulnerability warrants immediate remediation. The decision framework used by security operations teams distinguishes between four classification zones:

• KEV-verified and CVSS Critical (≥9.0): Highest remediation priority; federal mandate applies to civilian agencies under BOD 22-01.
• CVSS High (7.0–8.9), not KEV-verified: Elevated priority; remediation timelines determined by internal SLAs and asset criticality.
• CVSS Medium (4.0–6.9): Scheduled remediation within standard patch cycles; environmental scoring adjustments may elevate or reduce effective priority.
• CVSS Low (0.1–3.9): Risk-accepted or deferred; requires documented rationale in compliance-governed environments.

CVE vs. zero-day distinction: A zero-day vulnerability has no assigned CVE ID and no available patch at the time of active exploitation. Once a CVE is assigned and a patch or mitigation is published, the vulnerability exits zero-day classification. This boundary is operationally significant: zero-days require compensating controls such as network segmentation and behavioral detection, while CVE-identified vulnerabilities with available patches fall under standard patch management governance.

NVD analysis backlog: NIST publicly disclosed in 2024 that the NVD experienced a significant enrichment backlog, leaving a portion of new CVE entries without CVSS scores for extended periods. Organizations relying solely on NVD scores for prioritization face gaps during such intervals and must supplement with CNA-published advisories or third-party threat intelligence.

Practitioners seeking qualified vulnerability management service providers can reference the how to use this infosec resource page for guidance on navigating provider network providers by service category.