NIST Vulnerability Database Backlog Swells to 27,000 Unprocessed Flaws, Threatening Timely Patch Prioritization
What Happened — An Inspector General report found that the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) backlog grew from ~13,000 unprocessed CVEs in February 2024 to more than 27,000 by the end of 2025. The surge was driven by halted contractor payments, lack of a processing plan, and poor coordination with the Cybersecurity and Infrastructure Security Agency (CISA), resulting in duplicated effort and an estimated $200 k waste.
Why It Matters for TPRM —
- The NVD is a primary source for vulnerability scoring; a stale database lengthens exposure windows for all downstream vendors.
- Governance failures at a critical public‑sector supplier signal potential supply‑chain risk for organizations that depend on its data.
- Duplicate work and delayed entries reduce confidence in vulnerability‑management metrics used in third‑party risk assessments.
Who Is Affected — All industries that rely on NVD feeds for patch prioritization, notably technology SaaS, cloud‑infrastructure providers, government contractors, and critical‑infrastructure operators.
Recommended Actions —
- Validate that your vulnerability‑management program does not rely solely on NVD data; incorporate alternative feeds (vendor advisories, private CVE feeds).
- Engage NIST (or your government liaison) to obtain updated processing timelines and request transparency on backlog remediation.
- Review internal governance to ensure third‑party data sources are regularly audited for timeliness and completeness.
Technical Notes — The backlog stems from administrative missteps (stopped contractor payments, absent processing roadmap) and a lack of inter‑agency communication, not from a specific software flaw. No CVE identifiers or data‑type breaches are disclosed; the impact is the loss of timely vulnerability metadata. Source: The Record