For decades, the National Vulnerability Database has been the foundation of how the world tracks software and hardware vulnerabilities. When a researcher discovers a flaw in your router, your smart home hub, or any piece of connected hardware, the details eventually land in the NVD β enriched with severity scores, affected product lists, and remediation guidance that security tools, manufacturers, and home users rely on to understand whatβs dangerous and what isnβt.
On April 15, 2026, NIST effectively announced that this system is no longer functioning as designed for the majority of reported vulnerabilities.
What Changed
Starting April 15, NIST implemented a new triage policy for NVD enrichment. Previously, NIST aimed to analyze and enrich every CVE submitted to the database β adding CVSS severity scores, Common Platform Enumeration (CPE) data identifying affected products, and remediation context. This enrichment is what turns a raw CVE identifier into actionable security information.
Under the new policy, NIST will only prioritize enrichment for three categories:
- CVEs in CISAβs Known Exploited Vulnerabilities (KEV) catalog β flaws confirmed to be actively exploited in the wild
- CVEs affecting software used within the federal government
- CVEs for critical software as defined by Executive Order 14028
Everything else gets classified as βLowest Priority β not scheduled for immediate enrichment.β It will still be listed in the NVD with the basic CVE identifier. But it wonβt have the severity score, affected product list, or remediation guidance that security tools depend on.
NIST estimates this three-category filter covers approximately 15β20% of anticipated CVE volume. The other 80β85% of vulnerabilities will sit in the database as unenriched shells.
Why It Got to This Point
The CVE program has been overwhelmed by volume. Between 2020 and 2025, CVE submissions increased by 263%. In 2025 alone, NIST enriched nearly 42,000 CVEs β 45% more than any previous year β and still couldnβt keep pace. The first three months of 2026 came in nearly one-third higher than the same period last year.
The pipeline was already strained when, in early 2024, NIST began falling behind, accumulating a backlog of unenriched CVEs that never cleared. An additional complication: MITRE, which manages the CVE program, temporarily faced funding uncertainty that disrupted the broader vulnerability disclosure ecosystem. The combination of record submission volumes, staffing constraints, and funding turbulence produced a system that was managing less than it was receiving.
By April 2026, approximately 29,000 backlogged CVEs were reclassified as βNot Scheduledβ β meaning they will not receive NIST enrichment in the foreseeable future.
Why This Matters for IoT and Smart Home Devices
The three priority categories NIST selected β KEV catalog, federal government software, and EO 14028 critical software β are oriented entirely toward enterprise and government IT. Home IoT devices are almost entirely outside those categories.
Your router doesnβt run federal government software. Your smart home hub isnβt classified as critical infrastructure software under Executive Order 14028. Your IP cameras and smart locks are not on CISAβs Known Exploited Vulnerabilities catalog β at least not until theyβre actively exploited in the wild, at which point the damage is already being done.
This creates a gap with direct consequences for home users:
Vulnerability scanners will miss more. Commercial and open-source vulnerability scanners β including tools that router manufacturers use to assess whether their devices have known flaws β rely on NVD data to identify affected products and trigger alerts. Without CVSS scores and CPE data, most automated systems default to treating an unenriched CVE as low priority or ignore it entirely.
Manufacturers have less signal. Device makers who run NVD-based monitoring to catch CVEs affecting their products will miss vulnerabilities that werenβt enriched. Flaws in their firmware may sit in the database for months without triggering any internal review.
The patch gap widens. The NVD enrichment process was part of the chain that connected a discovered vulnerability to a user getting a security update. Remove enrichment, and the chain gets longer and more likely to break before it reaches the end device.
Home users lose their baseline. Sites like haveibeenpwned.com, router security checkers, and IoT security scanners often trace their data back to NVD. As that data becomes less complete, consumer-facing security tools become less reliable.
The Deeper Problem: Volume Is Structural
The CVE surge isnβt going away. Security research is increasing, bug bounty programs are growing, and the number of connected devices being actively scrutinized is expanding. The NVD was designed for a world with a few thousand CVEs per year; itβs now processing tens of thousands.
NISTβs response is pragmatic given the constraints, but itβs a managed retreat. The agency is explicitly prioritizing known exploitation and federal/critical infrastructure software because thatβs where the highest-stakes vulnerabilities land. Consumer IoT β a category that includes literally billions of devices in homes worldwide β doesnβt register as a priority under this framework.
This isnβt a criticism of NIST. Itβs a structural problem with how vulnerability management was designed at a time when the scale of todayβs IoT ecosystem was unimaginable.
What Home Users Can Do
The shift doesnβt mean youβre flying blind, but it does mean the tools and processes that implicitly relied on NVD completeness are now less reliable. Hereβs how to adapt:
Check vendor security pages directly. Donβt wait for NVD to inform you that your router has a critical vulnerability. Go to your router manufacturerβs support site and look for a security advisory page. Subscribe to their security bulletins if they offer one. Router manufacturers like Asus, Netgear, TP-Link, and others maintain their own advisory feeds independent of NVD enrichment timelines.
Follow CISAβs KEV catalog. The Known Exploited Vulnerabilities catalog at cisa.gov/known-exploited-vulnerabilities-catalog is one of the three categories NIST is still prioritizing β and itβs publicly accessible. If a vulnerability in consumer hardware reaches this list, it means itβs being actively exploited. Bookmark it and check periodically.
Use router security assessment tools. Tools like RouterSecurity.org and Bitdefender Home Scanner provide assessments based on device testing and known vulnerability databases, not exclusively NVD. They fill in some of the gap.
Enable automatic firmware updates where possible. If your router or smart home hub has an automatic update setting, enable it. This removes the dependency on you catching a CVE disclosure and manually initiating an update.
Subscribe to security feeds from sources beyond NVD. The Hacker News, BleepingComputer, and SecurityWeek all independently report on significant IoT vulnerabilities β often faster than NVD enrichment would flag them. Following these sources gives you earlier warning than waiting for NVD to process a CVE.
The Bottom Line
The NVD crisis doesnβt mean the internet is suddenly more dangerous than it was before April 15. Vulnerabilities were being discovered and exploited before NVD, and theyβll continue to be discovered with or without full enrichment.
What the policy change does mean is that one of the key systems designed to give home users and manufacturers visibility into those risks is now significantly less comprehensive than it was. The responsibility for staying informed about vulnerabilities in your home network now sits more squarely on your shoulders than it did before.
In a year when router CVE waves, camera credential leaks, and library-level certificate forgery flaws are making headlines every week, thatβs a significant shift in burden.
