NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole

Without much fanfare, the NVD has begun mass-labeling older CVEs as "Deferred," effectively giving up on enriching them with detailed metadata like CVSS scores, CWEs, and CPEs.

In an April 2 update, the NVD announced that all CVEs published before 2018 will be marked as Deferred—a move that's already resulted in 20,000 Deferred CVEs overnight, with potentially 100,000 more to come:

All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD dataset.

We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.

CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status.

This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized.

We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow.

In addition, we will prioritize any CVEs that are added to the KEV regardless of status.

That’s the official explanation for the new "Deferred" status, but what does it actually mean?

“Deferred” = “We’re Not Doing It”#

A CVE marked as Deferred won’t get the usual metadata that makes it useful to security teams. There’s no CVSS score, no CWE classification, no CPEs—no way to know how bad it is, what it affects, or what kind of vulnerability it represents.

And while the NVD says it will still consider updates "as time and resources allow," history shows that's a black hole for many CVEs already stuck in "Undergoing Analysis" for over a year.

Vulnerability historian Brian Martin summed it up bluntly on LinkedIn. "Looks like we have yet another NVD value to consider, and this doesn't make sense on the surface," Martin said. "Yesterday Awaiting' was the same amount, 'Undergoing' was the same amount, but now we have an even 20,000 showing up as Deferred. Where did these come from, since there weren't 20,000 CVE yesterday..."

The Numbers Don’t Add Up#

In a 24-hour span, the number of Deferred CVEs jumped from zero to exactly 20,000. Analysts quickly pointed out that CVE counts didn’t shift elsewhere, meaning these didn’t move from "Awaiting Analysis" or "Undergoing Analysis." They were simply reclassified en masse, likely pulled from a hidden or undisclosed bucket.

“Quick count shows that we'll get like 100K of Deferred CVE in a week or so,” security researcher Andrey Lukashenkov noted.

Even more concerning, this change was applied retroactively with no transparency on which CVEs were selected or why.

A New Way to Obscure the Backlog?#

The timing and opacity of this change aren’t lost on the vulnerability research community. For months, experts have been calling out NVD's shifting definitions, first by splitting the backlog between “Awaiting Analysis” and “Undergoing Analysis,” and now by pushing tens of thousands of CVEs into a Deferred bucket where they no longer count toward the active queue.

“You cannot say ‘NVD backlog’ anymore,” Brian Martin warned last week. “NVD shifted their tactic... It’s time to be more specific on what ‘backlog’ means.”

By reclassifying large numbers of unprocessed CVEs as “Deferred,” the NVD reduces the appearance of backlog growth without conducting additional analysis. While the move may help clarify prioritization internally, it also results in materially less complete and less reliable public coverage, particularly for older vulnerabilities that may still pose real-world risk.

Security Teams Must Address Over-Reliance on the NVD#

The NVD isn’t keeping up, and the implications are increasingly difficult to ignore. For years, the security industry’s over-reliance on the NVD as a canonical source of vulnerability metadata has masked underlying fragility. This dependence has led to downstream tooling, processes, and compliance frameworks that assume NVD coverage is both comprehensive and timely.

That assumption is no longer tenable. As the NVD continues to reclassify large swaths of unanalyzed CVEs and withdraws from enriching older vulnerabilities, it’s clear that the ecosystem must diversify its sources of truth.

"People treat NVD like heroin and you can't talk bad enough about it to make them stop using it because unlike heroin, NVD is free," Brian Martin said on LinkedIn. "Imagine if heroin was free, and the problems it would cause with addiction and unhealthy behavior? Welp, there you go, in the 'cyber' world."

Security teams can no longer delay confronting the operational risks introduced by this over-reliance. The lack of timely, structured metadata from the NVD is not a temporary disruption. It’s a systemic shift that demands immediate adaptation:

• Diversify your feeds. Pull from CVE.org, vendor advisories, CISA KEV, OSV.dev, ExploitDB, and others.
• Automate enrichment. Use tools that add CVSS, CPEs, exploit metadata, and risk scores.
• Prioritize by risk, not status. Just because a CVE is Deferred doesn’t mean it’s not dangerous.

Trust in the NVD Is Fracturing#

This isn’t just a metadata problem- it’s an ecosystem problem.

Security teams still relying solely on NVD data may now be blind to tens of thousands of vulnerabilities, simply because the NVD chose not to finish processing them.

With CVE volume surging (up 48% year-over-year), the NVD’s strategy appears to be: if you can’t handle the backlog, redefine it. This should likely make for some interesting conversation at VulnCon in Raleigh next week.

Until NVD regains operational transparency and starts publishing detailed metadata at scale, organizations must assume the coverage gap is real and growing.