NVD Backlog Crisis Doubles in One Year: NIST's Vulnerability Database Losing Credibility
NIST's National Vulnerability Database has fallen critically behind in processing new vulnerabilities, with unprocessed items doubling from 13,000 to 27,000 between February 2024 and end of 2025, according to an inspector general report. This operational failure directly undermines the NVD's utility as the primary source of truth for vulnerability data across the security industry.
Affected
The National Vulnerability Database backlog has reached crisis proportions. An inspector general report reveals that unprocessed vulnerabilities have accumulated to 27,000 as of end-2025, up from 13,000 in February 2024. This represents a 108 percent increase in outstanding work in less than two years. The NVD is the authoritative public source for vulnerability metadata, CVSS scoring, and enriched vulnerability information relied upon by vulnerability management platforms, security researchers, and defenders globally. A backlog of this magnitude means newly disclosed vulnerabilities lack official CVSS ratings, CPE mappings, and contextual analysis for weeks or months, creating a vacuum that forces organisations to make risk decisions on incomplete information.
The operational failure reflects systemic issues within NIST's vulnerability programme. The inspector general's findings implicate management and process mistakes rather than a simple resource constraint. This suggests that even with adequate staffing levels, NIST has failed to implement efficient workflows, prioritisation mechanisms, or automation where possible. The fact that the backlog accelerated dramatically over just one year points to either degradation of existing processes, inadequate tooling, or staffing attrition that was not addressed. For a government agency responsible for critical security infrastructure, this represents a significant governance failure.
The downstream impact is substantial. Vulnerability scanners and risk scoring tools depend on NVD data currency to provide accurate assessments. A 27,000-vulnerability backlog means millions of organisations cannot obtain official vulnerability context when they need it most, immediately after disclosure. This forces security teams to either wait for NVD enrichment or rely on vendor-specific or third-party interpretations of vulnerability severity, increasing inconsistency and potentially leading to misallocation of remediation effort. Attackers, by contrast, need no such official validation and can begin exploitation campaigns against unpatched systems immediately.
Defenders should not assume the NVD backlog will resolve quickly. Historical precedent suggests that when government operations accumulate this level of work debt, recovery requires significant intervention. Organisations must reduce their direct dependency on NVD timeliness by implementing complementary vulnerability intelligence sources, including vendor advisories, exploit databases, and threat intelligence feeds. Vulnerability management programmes should adopt a layered approach to severity scoring rather than relying solely on NVD CVSS values. For security teams prioritising remediation work, this backlog should trigger a shift toward threat-driven patching strategies that weight active exploitation signals above NVD publication delay.
This incident exposes a fragility in the security infrastructure that the industry has come to take for granted. The NVD is not a luxury service; it is foundational. When a single organisation's operational failures cascade into reduced utility for the entire security ecosystem, it warrants urgent structural review. NIST must either receive adequate resources and autonomy to clear this backlog and prevent recurrence, or the security community must collectively build redundancy into its dependency on NVD data. Neither outcome is cost-free, but the current trajectory is unsustainable.
Sources