CVE Publication Hits All-Time High: 5,000+ Vulnerabilities Reported in May

In an unprecedented surge, May saw the publication of over 5,000 Common Vulnerabilities and Exposures (CVEs), marking a historic milestone in cybersecurity. Newly published CVE records are averaging 164 per day, nearly double the daily average from 2023, which stood at 84.

Cisco Security researcher Jerry Gamblin published a tweet with a graph and link to the data on GitHub, which he generates to track CVE data points throughout the year.

Gamblin’s May 2024 CVE data shows an unprecedented surge in CVEs:

• Total Number of CVEs: 5103
• Average CVEs Per Day: 164.61
• Average CVSS Score: 6.42

The CVE program continues to add CNAs at a healthy clip, and the volume of CVEs is clearly growing each year, but a dramatic increase in actual vulnerabilities may not be the cause of May’s unprecedented numbers. Approximately 1,100 of last month’s CVEs were for the Linux kernel, related to a controversial move that has essentially flooded the NVD with bugs.

“There are many very serious people who don’t think most of these kernel issues should have CVE IDs,” Josh Bressers, VP of Security at Anchore, said in a recent blog post about why vulnerabilities are out of control in 2024. “They claim the bugs aren’t bad enough to warrant a CVE, and more verification should be done on the bugs, and they should only be filing things attackers could use to steal bitcoins. There are many complaints about this volume of IDs. The kernel is doing something new and different, so it must be wrong.”

Bressers contends that the ubiquity of the kernel’s use across devices makes it difficult to gauge what is a vulnerability. Additionally, there are varying opinions on what should qualify as a CVE. The lack of a clear definition creates inconsistencies in the identification and reporting of vulnerabilities.

“Even if we ignore these supposed low quality kernel CVE IDs, there are also a lot of non-kernel CVE IDs that could be considered low quality,” Bressers said. “What this means is vulnerabilities that could be considered plain old bugs depending on who does the analysis. If we want to raise the bar for what a vulnerability is, that won’t just affect the kernel, it would affect a number of CVE IDs. There are a lot of bugs that are right on the line for what the definition a vulnerability is. It’s sadly about as well defined as what a sandwich is.”

The CVE Program Designates CISA as the First CVE Authorized Data Publisher (ADP)#

The steady increase in CVE volume has strained the NVD, which recently engaged a contractor to assist in tackling the growing backlog of CVEs awaiting analysis. The NVD is aiming to clear the backlog by September while overhauling and modernizing its operations. It’s a bit like trying to change a tire on a moving vehicle, but the security community is optimistic that the agency can meet its self-appointed goal.

NIST has also enlisted help from CISA to enrich CVEs. This week, the CVE Program, whose mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities, has officially designated CISA as its first-ever CVE Authorized Data Publisher (ADP). The ADP role authorizes CISA to enrich CVE records with the following data:

1. Stakeholder-Specific Vulnerability Categorization (SSVC)
2. Known Exploited Vulnerabilities (KEV) catalog data
3. “Vulnrichment” updates (e.g., missing CVSS, CWE, CPE information for CVE Records that meet specific threat characteristics)

This announcement formalizes what has already been happening since CISA launched its Vulnrichment program and clarifies the process where CISA will provide “a two-pass enrichment for new CVE Records as they are published.” The first pass is to include data on Exploitation, Automatable, and Technical Impact. CISA will take a second pass to fill in CWE, CVSS, or CPE data where missing and add those metrics to the dedicated CISA ADP container. The announcement also further clarifies how uncertain cases will be resolved:

Of these issues, in some rare cases, it may be impossible to confidently field a guess on CWE, CVSS, or CPE. In those cases, the CISA ADP will not venture such a guess.

The CVE Program stated that additional ADPs may be added in the future. The role has clearly delineated authorizations and restrictions:

• An ADP augments the information in a CVE Record
• An ADP cannot modify the data the CNA has published in their “CNA container”
• All ADP updates to the CVE Records occur in a separate organizational “ADP container”

These recent changes have yet to put a dent in the backlog, as the CVEs awaiting analysis sits at 13,719 today. Delegating more authority to CISA and future ADPs should reduce the bottlenecks on CVE enrichment in the future, provided they can mitigate issues with conflicting data.