Common Vulnerabilities and Exposures (CVE) Reference

The Common Vulnerabilities and Exposures (CVE) system is the standardized public identifier framework used to catalog discrete security flaws in software and hardware. Administered by the MITRE Corporation under sponsorship from the Cybersecurity and Infrastructure Security Agency (CISA), CVE functions as the foundational reference vocabulary across vulnerability management, patch prioritization, and regulatory compliance contexts throughout the United States and internationally. This reference describes the CVE structure, the lifecycle of a CVE record, the scenarios in which CVE identifiers carry operational significance, and the boundaries that define what qualifies for CVE assignment.

Definition and scope

CVE is a dictionary of publicly known cybersecurity vulnerabilities, each assigned a unique identifier in the format CVE-[YEAR]-[NUMBER] (e.g., CVE-2021-44228, the Log4Shell vulnerability). The program was established by MITRE in 1999 and operates under contract with CISA, which funds the program through the Department of Homeland Security. The authoritative CVE list is published at cve.mitre.org, and the National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST) at nvd.nist.gov, augments CVE records with severity scoring, remediation references, and classification metadata.

The scope of CVE is bounded by a defined standard: a flaw must be independently fixable, acknowledged by the affected vendor or documented in public sources, and affect a discrete codebase. CVE does not catalog configuration errors, policy weaknesses, or physical security failures — those fall outside the program's published inclusion criteria (MITRE CVE Counting Rules). As of the 2023 CVE Program Annual Report, the CVE List contained over 200,000 published identifiers, reflecting decades of accumulation across commercial, open-source, and government-facing software.

The program intersects with federal compliance frameworks at multiple points. NIST's Cybersecurity Framework (CSF) maps vulnerability management to the "Identify" and "Protect" functions, and NIST SP 800-53 Revision 5 (control family RA — Risk Assessment) requires federal agencies to correlate findings against the CVE list as part of continuous monitoring programs. For organizations listed in the digital security listings, CVE familiarity is a baseline professional requirement in vulnerability assessment and penetration testing service categories.

How it works

The CVE lifecycle operates through a distributed assignment structure anchored by three entity types:

  1. MITRE (CVE Program Root) — Serves as the primary CVE Numbering Authority (CNA) and program administrator. MITRE arbitrates disputes, sets inclusion rules, and maintains the master CVE List.
  2. CNAs (CVE Numbering Authorities) — Organizations authorized to assign CVE IDs within their defined scope. As of 2024, over 300 CNAs operate globally (CVE CNA List), including major vendors such as Microsoft, Red Hat, and Apple, as well as national CERTs and research organizations.
  3. CISA (Top-Level Root CNA) — Oversees the CNA hierarchy in the US government context and coordinates with sector-specific disclosure pipelines.

The assignment process follows a structured sequence:

  1. A vulnerability is discovered by a researcher, vendor, or automated scanning system.
  2. The discoverer contacts the relevant CNA or MITRE directly to request a CVE ID.
  3. The CNA validates that the vulnerability meets inclusion criteria — discrete, independently fixable, in-scope for that CNA.
  4. A CVE ID is reserved; the record initially carries minimal data.
  5. Upon public disclosure (coordinated or uncoordinated), the full CVE record is published, including a description, affected product references, and Common Platform Enumeration (CPE) data.
  6. NVD analysts independently enrich the record with a Common Vulnerability Scoring System (CVSS) score, weakness classification via CWE (Common Weakness Enumeration), and reference links.

CVSS scores range from 0.0 to 10.0, with 9.0–10.0 classified as Critical severity under CVSS v3.1 scoring guidelines published by FIRST (Forum of Incident Response and Security Teams). The distinction between CVSS base scores and temporal or environmental scores represents a significant classification boundary: base scores reflect intrinsic severity; environmental scores adjust for an organization's specific deployment context.

The purpose and scope of this digital security directory describes how vulnerability management services align within the broader cybersecurity professional landscape.

Common scenarios

CVE identifiers surface across four primary operational contexts:

Patch management and vulnerability remediation — Enterprise security teams ingest CVE feeds to prioritize patching queues. CISA's Known Exploited Vulnerabilities (KEV) Catalog lists CVEs that have confirmed active exploitation in the wild; as of 2024, the catalog exceeded 1,100 entries, and CISA's Binding Operational Directive 22-01 mandates that federal civilian agencies remediate KEV-listed vulnerabilities within defined timeframes.

Penetration testing and security assessments — Credentialed vulnerability scanners (Tenable Nessus, Qualys, and comparable platforms) map detected weaknesses to CVE IDs, providing assessors and clients with standardized findings that can be benchmarked across engagements. Service providers operating in this sector often reference CVE coverage rates as a capability indicator.

Incident response and threat intelligence — When threat actors exploit a specific flaw, incident response teams use the CVE identifier to anchor timelines, correlate indicators of compromise across affected systems, and communicate findings to regulators. The SEC's cybersecurity incident disclosure rules (17 CFR Part 229, effective December 2023) create formal channels in which CVE-identified vulnerabilities may appear in material incident disclosures.

Software supply chain risk management — NIST SP 800-161 Revision 1, addressing cybersecurity supply chain risk management, references CVE as a component of vendor product assessment. Organizations evaluating third-party software components against a Software Bill of Materials (SBOM) use CVE records to identify whether specific component versions carry known flaws.

Decision boundaries

Understanding what CVE covers — and what it does not — determines how organizations structure their vulnerability programs.

CVE vs. zero-day — A zero-day vulnerability has no CVE record at the time of exploitation because it has not been publicly disclosed or assigned. CVE records are inherently reactive; they document known flaws after disclosure. Vulnerability programs that rely solely on CVE-based scanning miss the zero-day exposure window entirely.

CVE vs. CWE — CWE (Common Weakness Enumeration), also maintained by MITRE (cwe.mitre.org), classifies the underlying weakness type (e.g., CWE-79: Cross-site Scripting; CWE-89: SQL Injection). A CVE record identifies a specific instance of a vulnerability in a specific product; a CWE classifies the category of weakness. CWE informs secure development practices; CVE informs remediation of deployed systems.

CVE vs. CVSS — CVE is an identifier; CVSS is a severity scoring method. A single CVE record carries one or more CVSS scores assigned by NVD or the originating CNA, but the CVE ID itself carries no inherent severity designation. Conflating the identifier with its severity score leads to misprioritized remediation queues.

Assigned vs. published status — A CVE ID may exist in "reserved" status — assigned but not yet publicly detailed — when disclosure is pending coordination with a vendor. Organizations receiving reserved CVE information through coordinated disclosure channels must treat that information according to applicable disclosure agreements until the record moves to published status.

The how to use this digital security resource page describes how CVE-related service categories are organized within this reference directory, including vulnerability assessment, disclosure coordination, and patch management services.

References

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...