NVD Backlog Continues to Grow

The backlog of unanalyzed vulnerabilities for the National Vulnerability Database continues to grow, with new estimates suggesting the backlog could reach nearly 30,000 unanalyzed vulnerabilities by the end of 2024.

The National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST), is the United States' official repository for common vulnerabilities and exposures. Many scanners, analysts, and vendors depend on the NVD to determine what software has been affected by a vulnerability. When vulnerabilities are not added to the database in a timely manner, it impacts an enterprise defender's ability to prioritize vulnerabilities that need immediate patching or to identify issues that affect multiple applications.

NVD currently has a backlog of 16,974 vulnerabilities and receives, on average, about 111 additional security flaws daily. Data from Fortress Information Security suggests that analysts would need to process more than 217 vulnerabilities each day just to clear the backlog and keep up with the new ones being reported. Currently, NIST is averaging just over 30 new vulnerabilities per day, according to Fortress.

Resource challenges, an increase in the volume of vulnerabilities being disclosed, and other constraints have hampered NIST's ability to process vulnerabilities in a timely manner, NIST said earlier this year. The agency announced a partnership with the Cybersecurity and Infrastructure Security Agency as well as a contract with a private cybersecurity company for help clearing the backlog. The aim was to reduce the backlog by Sept. 30, the end of the government's fiscal year.

According to Fortress, NIST has analyzed just a little over a quarter of new CVEs discovered in 2024. At the current pace, Fortress estimates 29,569 vulnerabilities will still be awaiting analysis by the end of 2024 — and that calculation is based on the assumption that analysts are working seven days a week.

With 155 days left in 2024 (and just 62 days to the end of the fiscal year), NIST would have to significantly increase resources even more to make a reasonable dent in the backlog.