NIST's National Vulnerability Database fell 93% behind on CVE analysis in 2024, leaving organizations unable to assess which open source vulnerabilities actually affect them

In February 2024, NIST drastically scaled back its National Vulnerability Database (NVD) enrichment program due to budget cuts (~12%) and staff shortages, causing a catastrophic backlog. By May 2024, 93.4% of newly reported CVEs remained unanalyzed, and by September 2024, 18,358 CVEs (72.4% of new reports) still lacked severity scores, affected product lists, or remediation guidance. Why it matters: security teams cannot prioritize patching without NVD enrichment data, so they either ignore vulnerabilities or waste resources patching everything, so open source maintainers receive floods of undifferentiated vulnerability reports they cannot triage, so actual critical vulnerabilities get buried in noise alongside low-severity issues, so attackers exploit known vulnerabilities while defenders are overwhelmed by an unprocessed backlog. The structural root cause is that the world's vulnerability tracking infrastructure depends on a single US government agency (NIST) funded by annual congressional appropriations, with no redundancy, and the volume of CVEs has grown 38% year-over-year (over 40,000 in 2024) while NIST's budget and staffing have shrunk, creating an unsustainable mismatch between vulnerability discovery velocity and analysis capacity.