CVE and Common Vulnerabilities Reference

The Common Vulnerabilities and Exposures (CVE) system is the foundational public reference for identifying, cataloging, and communicating software and hardware security weaknesses across the global cybersecurity ecosystem. This page covers the structure of the CVE program, how vulnerability identifiers are assigned and scored, the organizational bodies that govern the system, and how practitioners apply CVE data within vulnerability management lifecycle operations and compliance frameworks.

Definition and scope

The CVE program is a dictionary of publicly disclosed cybersecurity vulnerabilities maintained by MITRE Corporation under sponsorship from the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security. Each CVE entry represents a unique flaw or weakness in software, firmware, or hardware that has been identified and confirmed as meeting the program's disclosure criteria.

Scope is national and international in practice. While the program operates under U.S. federal sponsorship — authorized through CISA's mandate under the Cybersecurity Enhancement Act of 2014 — CVE identifiers are adopted by vendors, governments, and security researchers worldwide. The NIST National Vulnerability Database (NVD), maintained separately from MITRE, enriches CVE entries with severity scoring, Common Weakness Enumeration (CWE) mappings, and patch reference links, providing the layer of analytical metadata that makes raw CVE identifiers operationally useful.

CVE scope excludes:
- Theoretical vulnerabilities not yet confirmed in a real product
- Configuration errors that are not inherent product weaknesses
- Issues already merged into an existing CVE entry
- Vulnerabilities in products with no publicly available fix or acknowledgment path

As of the NVD's public dataset, the cumulative CVE count surpassed 200,000 entries (NVD Statistics, NIST), reflecting the scale of the vulnerability disclosure ecosystem that practitioners must navigate.

How it works

The CVE system operates through a distributed assignment infrastructure. MITRE serves as the CVE Program Root, while CVE Numbering Authorities (CNAs) — which include major software vendors, national CERTs, research institutions, and bug bounty platforms — are authorized to assign CVE IDs within their defined scope. As of 2024, over 350 organizations hold CNA status (CVE Program CNA List).

The lifecycle of a CVE entry follows a structured sequence:

  1. Discovery and reporting — A researcher, vendor, or automated scanner identifies a potential vulnerability. Responsible disclosure channels (vendor security teams, bug bounty programs, or CERT/CC) receive the initial report.
  2. CNA assignment — An authorized CNA reserves a CVE ID. At this stage the entry is marked "RESERVED" and carries no public details.
  3. Disclosure and population — Upon coordinated public disclosure, the CNA populates the CVE entry with a standardized description, affected product versions, and reference links. MITRE reviews for consistency.
  4. NVD enrichment — NIST analysts augment the published CVE with a CVSS score, CWE classification, CPE applicability statements, and patch links within the NVD.
  5. Ongoing maintenance — Entries may be updated, rejected, split, or merged as additional information surfaces. The CVE Program Root publishes dispute resolution procedures for contested entries.

Severity scoring applies the Common Vulnerability Scoring System (CVSS), maintained by FIRST (Forum of Incident Response and Security Teams). CVSS v3.1 scores range from 0.0 to 10.0 across four qualitative bands: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). CVSS v4.0, published by FIRST in 2023, introduced additional metric groups for supplemental and environmental context, distinguishing it from v3.1's base/temporal/environmental structure.

Common scenarios

CVE data surfaces across the security operations center (SOC) workflow, compliance auditing, and vendor risk management in predictable patterns:

Patch prioritization — Security teams query the NVD or CISA's Known Exploited Vulnerabilities (KEV) Catalog to identify which CVEs affecting their asset inventory carry confirmed exploit activity. CISA's Binding Operational Directive 22-01 requires U.S. federal civilian executive branch agencies to remediate KEV-listed vulnerabilities within mandated timeframes, creating a binding prioritization framework. Non-federal organizations reference the KEV catalog as a risk-based triage signal.

Compliance reporting — Frameworks including PCI DSS v4.0 require organizations to address vulnerabilities rated "high" by a qualified security assessor, operationally mapped to CVSS thresholds. CMMC compliance at Level 2 and above requires documented vulnerability management practices that reference CVE and NVD data directly.

Penetration testing scopingPenetration testing teams use CVE identifiers to document discovered vulnerabilities in standardized deliverables, enabling clients and auditors to cross-reference findings against public patch availability and CVSS severity without vendor-specific translation.

Threat intelligence correlation — The MITRE ATT&CK framework maps adversary techniques to CVE-identified weaknesses, allowing threat intelligence teams to trace observed attacker behavior back to unpatched vulnerabilities in the environment.

Supply chain risk — CVEs affecting third-party components embedded in commercial software (libraries, firmware, open-source dependencies) create transitive risk. The SolarWinds and Log4Shell (CVE-2021-44228, CVSS 10.0) incidents demonstrated how a single upstream CVE can propagate across thousands of downstream organizations simultaneously.

Decision boundaries

Understanding what CVE does and does not determine prevents organizational misapplication of the standard.

CVE ID ≠ exploitability confirmation — A CVE entry documents that a flaw exists and has been disclosed. It does not confirm that functional exploit code is publicly available, that the flaw is actively being weaponized, or that every listed affected version is reachable in a given environment. CVSS base scores are context-independent; environmental and temporal metrics must be applied to reflect actual organizational exposure.

CVSS score ≠ remediation priority — A Critical CVSS score on a system with no external exposure or exploitability vector may rank below a Medium-scored CVE on an internet-facing authentication service. Effective prioritization combines CVSS with asset criticality, network exposure, exploit availability, and threat intelligence — not CVSS in isolation.

CVE vs. CWE — CVE identifies specific instances of vulnerabilities in specific products. CWE (Common Weakness Enumeration), also maintained by MITRE, classifies the underlying weakness categories (e.g., CWE-79 Cross-Site Scripting, CWE-89 SQL Injection) that give rise to multiple CVEs. CWE informs application security and secure software development lifecycle practices by targeting root-cause patterns rather than individual instances.

NVD data lag — NIST has publicly acknowledged backlogs in NVD enrichment, particularly following a 2024 processing slowdown. Organizations relying solely on NVD CVSS scores may encounter CVEs with incomplete scoring metadata. CISA KEV, vendor advisories, and FIRST's CVSS calculator provide supplemental scoring pathways during NVD processing delays.

Rejection and dispute — Not all reserved CVE IDs become published entries. MITRE rejects entries that fail scope criteria, duplicate existing CVEs, or cannot be substantiated. Security teams should distinguish between RESERVED, PUBLISHED, and REJECTED states when querying CVE data sources.

References

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator