The foundation of global vulnerability management is in crisis. A critical report from the NIST Office of Inspector General has found that the National Vulnerability Database — the authoritative source for CVE severity scores, software identifiers, and weakness classifications relied upon by virtually every enterprise security program — now carries a backlog of more than 27,000 unprocessed vulnerability entries.
NVD Processing Failure
The Inspector General’s report traces the breakdown to two compounding failures. In February 2024, NIST halted payments to the contractors responsible for processing incoming CVE submissions, cutting off the pipeline that converts raw vulnerability reports into actionable database records. At the same time, NIST set an internal processing target of 6,200 vulnerabilities per month — a figure that exceeded the program’s documented historical maximum output of 5,000 entries per month.
The combined effect was predictable. Work stopped while the target climbed, and the backlog swelled from 13,000 unprocessed entries in February 2024 to more than 27,000 as of June 2026.
NVD CVSS Scoring Adds Little Value
The Inspector General identified a second dysfunction inside NVD’s core workflow: NIST’s independent CVSS severity scoring process produces results that rarely diverge from what reporters already provide. Approximately 80% of CVE submissions arrive with severity scores already assigned by the reporting organization. When NIST completes its own independent assessment, its scores align with other evaluators only 12% of the time.
The implication is that NIST is investing significant resources in a process that does not meaningfully improve the data quality of the database it is responsible for maintaining.
CISA Vulnrichment Creates $200,000 in Duplicate Work
While NVD stalled, CISA launched its own parallel processing program — Vulnrichment — in May 2024. Rather than coordinating with NIST to divide the workload, the two agencies proceeded independently, generating approximately 21,000 duplicate processing efforts across both programs. The IG found that NIST and CISA even hired the same contractor to perform identical work, resulting in an estimated $200,000 in wasted taxpayer funds.
The IG’s recommendations call on NIST to reduce redundant scoring activity, establish realistic monthly processing targets grounded in demonstrated capacity, and coordinate directly with CISA to eliminate overlapping effort.
Enterprise Security Programs Degrade Under Backlog
The consequences of NVD processing delays are not abstract. Enterprise vulnerability management programs depend on timely, complete NVD metadata to function. Patch prioritization workflows use CVSS scores to rank which vulnerabilities require immediate remediation and which can wait for scheduled maintenance cycles. Vulnerability scanners rely on CPE identifiers — software product identifiers maintained in NVD — to match discovered software versions against known vulnerable releases. SIEM enrichment pipelines pull CVE classification data to contextualize security alerts. Asset risk scoring platforms aggregate NVD severity and weakness data to produce the risk profiles that drive resource allocation decisions.
When NVD records are absent or incomplete, each of these processes degrades. Vulnerabilities without severity scores cannot be ranked. CVEs without CPE entries cannot be matched against installed software inventories. Alerts without enriched metadata require manual investigation that automated pipelines were designed to eliminate.
How the NVD Backlog Degrades Enterprise Patch Prioritization
The backlog creates asymmetric risk for organizations with mature vulnerability programs and those still building them. Mature programs often maintain supplementary scoring from commercial feeds or threat intelligence providers that can partially compensate for NVD gaps. Smaller organizations without those resources depend more heavily on NVD as their primary — or only — source of vulnerability context, meaning the processing failure falls hardest on those least equipped to absorb it.
The IG report does not assign a timeline for clearing the existing backlog. With more than 27,000 entries outstanding and a historical maximum throughput of 5,000 per month, even at peak capacity the queue represents more than five months of uninterrupted processing work — assuming no new vulnerabilities enter the pipeline, which they will.
The structural problems identified in the report — contractor payment failures, unrealistic targets, and duplicated interagency effort — are management failures that NVD’s technical staff cannot resolve unilaterally. Until those organizational decisions are corrected, the backlog will continue to constrain the programs that depend on it.
