NIST reprioritizes NVD for CISA KEV

NIST changed how it handles new vulnerability records on April 15, saying the National Vulnerability Database will now prioritize CVEs that appear in CISA’s Known Exploited Vulnerabilities catalog, software used within the federal government, and software covered by Executive Order 14028’s critical-software definition. (nist.gov) The agency said all submitted CVEs will still be added to the NVD, but records outside those categories will be tagged “Lowest Priority - not scheduled for immediate enrichment.” NIST said the shift was driven by record CVE growth and a backlog that outpaced its ability to add severity scores, product data and other metadata to every entry. The change landed as Microsoft’s May 12 Patch Tuesday delivered 137 CVEs and no zero-days, while security teams were also digesting May updates from vendors including SAP. (blog.talosintelligence.com) ### Why did NIST change the queue now? NIST said on April 15 that CVE submissions rose 263% between 2020 and 2025, and that submissions in the first three months of 2026 were nearly one-third higher than the same period a year earlier. The agency said it enriched nearly 42,000 CVEs in 2025, 45% more than any prior year, but that the increase was still not enough to keep up with incoming volume. The NVD said the new model is intended to let it “focus on the most critical CVEs” while it develops automated systems and workflow changes for longer-term operations. NIST said users can request enrichment of lower-priority records by emailing the program, and it linked the change to a broader modernization effort already posted on the NVD site. (nist.gov) ### Which vulnerabilities move to the front of the line? CISA’s KEV catalog now sits at the top of the enrichment queue, with NIST stating a goal of enriching those CVEs within one business day of receipt. Federal-government software CVEs and vulnerabilities affecting critical software under Executive Order 14028 also receive priority treatment under the new workflow. (nist.gov) NVD records outside those categories will still appear in the database, but without immediate NIST-added context such as severity scoring and product enumeration. NIST said those entries may still matter to affected organizations, but “generally do not present the same level of systemic risk” as the prioritized categories. (nist.gov) ### How does that intersect with Microsoft’s May patch load? Microsoft’s May 12 release included 137 vulnerabilities, according to Cisco Talos and SC Media, with no flaws listed as actively exploited in the wild. SC Media reported that the month’s release was the first since June 2024 without a zero-day either exploited or publicly disclosed at release. (nist.gov) Four Microsoft Word remote-code-execution bugs stood out in the May batch. SC Media, citing Tenable’s Satnam Narang, said the four Word flaws could be triggered through the Preview Pane, meaning a target would not need to fully open a malicious document. Cisco Talos listed Word and Office CVEs including CVE-2026-40361, CVE-2026-40364 and CVE-2026-40366 among the critical issues in the release. (nist.gov) ### What does this mean for patch teams already carrying backlog? Microsoft’s 137-CVE release arrived in the same week that SAP published its May 2026 Security Patch Day bulletin, which included two critical 9.6-severity issues in SAP S/4HANA Enterprise Search for ABAP and SAP Commerce cloud configuration. (blog.talosintelligence.com) That means defenders choosing what to patch first are sorting across multiple vendors, not just one monthly Microsoft cycle. NIST’s queue change does not reduce that operational load, but it does change where federal agencies and vendors are most likely to see NVD enrichment first. The practical effect is that KEV-listed bugs and federal-software CVEs should receive NVD metadata faster than lower-priority records, while other entries may remain in the database without immediate enrichment. (scworld.com) That sequencing follows NIST’s published criteria rather than vendor release calendars. ### Where can defenders track the next updates? The NVD site says its website and API are operational and lists April 15, 2026 as the date of the workflow change. The same page points users to NVD general and technical update feeds and notes API support for CISA KEV-related parameters. (support.sap.com) Microsoft’s Security Update Guide remains the source for the May 2026 release set, and SAP’s May 2026 Patch Day bulletin is already posted on its support site. NIST said requests to enrich lower-priority CVEs can be sent to the NVD program’s published email address as resources allow. (portal.msrc.microsoft.com) (nist.gov 1) (nist.gov 2)