A U.S. watchdog found that NIST’s National Vulnerability Database, a key public source used to track and prioritize software flaws, has become ineffective after mismanagement caused a massive processing backlog. The report says unprocessed vulnerability records grew from about 13,000 in February 2024 to more than 27,000 by the end of 2025, after NIST stopped paying contractors, missed its recovery goals, and duplicated at least 21,000 pieces of work already handled by CISA’s Vulnrichment program.
Why it matters: This matters because companies, government agencies, and security teams rely on NVD data to decide what to fix first, and delays can slow patching and risk decisions across the ecosystem. Affected users are indirect but broad: defenders may need to lean more on vendor advisories, CISA KEV, and other sources until NVD processing becomes reliable again.
2026.06.01
100% relevant
This article establishes a distinct oversight and infrastructure story about NIST’s vulnerability-processing failures and the operational impact on the National Vulnerability Database, rather than updating a specific CVE or exploit event.
← Back to all stories