Tech
Surging CVE disclosures force NIST to shake up workflows | Computer Weekly
The US National Institute for Standards and Technology (NIST) is in the process of shaking up the way in which it handles common vulnerabilities and exposures (CVEs) listed in the National Vulnerability Database (NVD) in the face of a rapidly-changing threat environment.
Previously, the NVD programme aimed to analyse all CVEs received to add details – like severity scores and affected product lists – to help cyber teams prioritise and mitigate relevant vulnerabilities. It terms this process ‘enrichment’.
However, going forward, it will enrich only those CVEs that meet a predefined set of criteria – those flaws that don’t mean this bar will still be listed but will be marked as lower priority issues.
“This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” NIST said in a statement.
“We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 – 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach.”
The authority hopes that these changes will enable it to stabilise its programme and buy some time to help it develop new automated systems and workflow enhancements.
Priorities
The new criteria went into effect on Wednesday 15 April, with the following CVEs prioritised:
“This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritised categories,” said NIST.
The organisation acknowledged that the new criteria may not catch every potentially high-impact flaw, so users will be able to request reviews of lower priority CVEs for enrichment.
At the same time, NIST will no longer routinely provide a separate severity score for CVEs that have already been assigned one by the CVE Numbering Authority – firms such as Microsoft, etc – that submitted it. It said this was an effort to reduce duplication of effort and better focus its resources, although users are also able to request reviews of specific CVEs if wanted.
NIST is also changing how it goes about reanalysing enriched CVEs that have been modified after enrichment. Previously it had reanalysed all modified flaws but it will now only do so if it becomes aware of a modification that materially impacts its enrichment data. Again, a user-requested review system will be put in place.
The backlog
In relation to a significant backlog of unenriched CVEs that started to develop two years ago, NIST stated that it has not been able to clear this down and so all backlogged CVEs with an NVD publish date before 1 March 2026 will be moved into the ‘Not Scheduled’ category. CVEs falling into this bucket will be considered for enrichment provided they meet the new prioritisation criteria.
Finally, NIST is updating CVE status labels and descriptions, and making changes to the NVD Dashboard to accurately report these.
The organisation said it recognised it was making big changes that will affect everyday users, however, it reiterated, adopting a risk-based approach is necessary to manage the surge in submissions and buy it time to build new systems that will ensure the sustainability of its offering going forward.
Danis Calderone, principal and chief technology officer at Suzu Labs, said NIST had probably taken the right decision.
“An overhaul was certainly needed and probably inevitable given the volume of new CVE submissions, and we suspect that AI-assisted discovery is probably already pushing that number higher. After all, Microsoft just had its second-largest Patch Tuesday ever, and even ZDI says their incoming submissions have tripled thanks to AI tools,” said Calderone.
“We are excited to see NIST making Kev the top priority tier. That is the right call and something we’ve been doing with our clients for some time now, so we’re very happy to see that becoming the official model.”
However, Calderone criticised some perceived gaps in NIST’s new methodology, specifically the ending of CVE scoring when the submitting authority has already scored it.
“That sounds efficient until you remember that the submitting authority is often the vendor, and vendors don’t always get their own bugs right,” he said. “We just went through this with F5. A recent BIG-IP vulnerability was scored 8.7 HIGH as a denial-of-service issue for five months before it got reclassified as a 9.8 RCE. For organisations using CVSS to drive patching priority, that miscategorisation meant the real risk sat in the wrong queue for five months while attackers were already exploiting it.”
“The other thing missing here is that NIST addressed the processing volume problem but didn’t touch the scoring methodology. CVSS still scores vulnerabilities in isolation. It doesn’t model chainability, where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise.”
Calderone said that for security leaders who have relied on NVD as their go-to for vulnerability context, the time was nigh to build their own prioritisation stack. This could incorporate data from Cisa’s Kev catalogue, Exploit Prediction Scoring System (EPSS) information, and their organisation’s own environmental context.
“The days of waiting for NIST to tell you what matters are over,” he remarked.
As ceasefire announcements between the US and Iran—and separately between Israel and Lebanon—dominated headlines over the past two weeks, they also prompted a look back at how war spread online: through memes.
There were jokes about conscription. Captions about getting drafted, but at least with a Bluetooth device. The song “Bazooka” went viral, with users lip-syncing to: “Rest in peace my granny, she got hit by a bazooka.” Military filters followed. So did posts about Americans wanting to be sent to Dubai “to save all the IG models.”
Across the Gulf, the tone was different but the instinct was the same. Memes joked that Iran was replying to Israel faster than the person you’re thinking about. Delivery drivers were shown “dodging missiles.” “Eid fits” became hazmat suits and tactical vests.
Dark humor is one of the oldest responses to fear, a way of reclaiming control, however briefly, over events that offer none. Variations of that idea appear across psychology and philosophy, including Freud’s relief theory, which frames humor as a release of tension.
But social media changes the scale and speed of that instinct.
A joke once shared within a small community can become a global template in minutes. Algorithms do not reward depth or accuracy; they reward engagement. The memes that travel fastest are usually stripped of context, easy to recognize and simple to remix.
Middle East scholar and media analyst Adel Iskandar traces political satire back centuries, from banned satirical papyri in ancient Egypt to cartoons during revolutions and gallows humor in modern wars. “Where there is hardship, there is satire,” he says. “Where there is loss of hope, there is hope in comedy.”
That tradition still exists online. But today it is fused with recommendation systems designed to keep attention moving.
Memes Spread Faster Than Facts
The word “meme” was coined by Richard Dawkins in his 1976 book The Selfish Gene, where he described how ideas replicate like genes. On today’s internet, replication follows platform logic.
Fitness means generality. A meme does not need to be accurate. It needs to feel familiar. It needs the right format, paired with trending audio and the right emotional shorthand.
“A meme is like a virus,” Iskandar says. “If it doesn’t travel, it’ll die.”
The most visible response online is not always the truest one. It is often just the easiest to spread. And once context disappears, one crisis can start to resemble any other.
Geography shapes humor too, and adds another level of tension. “If you live far away from the threat, you’re capable of producing content that ridicules it with an element of safety,” says Iskandar. “Whereas if you happen to be within close proximity, it is more of a fatalism.”
That divide matters. For some users, war exists mainly as mediated spectacle: clips, edits, graphics, headlines, and reaction posts. For others, it is sirens, uncertainty, disrupted flights, rising prices, and messages checking who is safe.
The same meme can function as entertainment in one country and emotional survival in another. Take the American experience of violence, which Sut Jhally, professor of communication at the University of Massachusetts Amherst, says “is very mediated.”
What much of the Western world has consumed instead is what cultural critic George Gerbner called “happy violence”: spectacular, consequence-free, and detached from the aftermath.
Jhally argues that the September 11 attacks remain the defining modern American experience of war-adjacent political violence. Much else has been cinematic: distant invasions, blockbuster destruction, video-game logic, apocalypse franchises.
The teenager from the Midwest joking about being drafted is drawing from zombie films and superhero apocalypses. “There is almost no discussion about what an actual Third World War would look like,” he says. “People do not have a perception of what that really looks like.”
Hyundai has unveiled its Ioniq 3, a fully electric compact hatchback for urban driving designed to be as aerodynamically efficient as possible yet still offer up a surprisingly spacious interior—a trick the carmaker is loftily calling Aero Hatch. The 3 is intended to fill the gap between Hyundai’s Inster supermini and Ioniq 5 crossover.
In profile, the Ioniq 3 has a sleek front end that transitions into a roofline that stays straight over both front and rear occupants before dropping to merge with the rear spoiler. It’s this roofline that maximizes interior headroom for the rear passengers, but it also offers a supposed class-leading drag coefficient of 0.263.
The car has the same underpinnings as its sibling brand, Kia’s EV2. Two battery options will deliver a projected WLTP distance of 344 km (around 214 miles) for the Standard Range Ioniq 3; the Long Range version is supposedly good for a competitive 308-mile range. Built on the group’s Electric-Global Modular Platform (E-GMP), the car has a 400-volt architecture to lower costs rather than the 800-volt system of the Ioniq 5 N, 6, or 9 SUV. Still, this means that if you can find sufficiently fast DC charging, you can, in theory, top up from 10 to 80 percent in approximately 29 minutes (AC charging capability is up to 22 kW).
This is fine, but it is not a match for BYD’s new Blade 2.0 battery tech that WIRED tried, astonishingly allowing the Denza Z9 GT to charge its battery in just over nine minutes from 10 percent. True, that battery tech was in a $100,000 “premium” EV, but it’s coming to BYD’s wider models. And if BYD makes good on its plans to deliver a charging network to rival Tesla’s Supercharger, then very soon buyers will be expecting comparable charge times, and 30 minutes will quickly feel awfully long.
I asked José Muñoz, Hyundai Motor Company president and CEO, whether this new battery technology from BYD concerns him, whether Hyundai—leading the EV pack with 800-volt architectures for so long—needs to match the Blade 2.0’s performance. “We welcome the challenge,” Muñoz tells me. “Every challenge is an opportunity to do better. And I can tell you that, lately, we have a lot of opportunities to do better.”
“We are also working on fast charging,” Muñoz says, adding that Hyundai’s success will be built on not merely one leading technology but many. “There are not more elements that may be offered by the Chinese that we can offer. It’s only a matter of how you mix them. A lot of times, you get stuck into one indicator. I’m an engineer. And we always have the example of the airplanes: What is more important in an airplane, altitude or speed? There is only one answer. You need to achieve both.”
Prego, the pasta sauce company, is getting into hardware with a device that sits on your table and records dinner conversations. No, this isn’t April Fools’.
The Connection Keeper is a round puck that houses two microphones for recording around the table. The recorder was developed in partnership with StoryCorps, the 20-year-old nonprofit that has recorded conversations with more than 720,000 people about their lives.
The Connection Keeper is more of a publicity stunt than a readily available product. Fewer than 100 will be made. The pucks look more like a tuna can than what you’d associate with the pasta sauce brand—small and meant to be tucked aside so as not to attract attention. The whole goal here, Prego and StoryCorps say, is to advocate for keeping people off their phones during dinner.
“Everything now is AI, and everyone has their phones on the table,” says Elyce Henkin, a managing director of StoryCorps studios and brand partnerships. “It interrupts the conversation and the flow. We wanted to get rid of that and go back to the basics and have everyone talking to each other.”
The pucks come packaged with cards inspired by StoryCorps, designed to prompt conversations between family members. Some are aimed at kids; some are aimed at parents or other family members.
The device doesn’t record automatically. Press a button, and the device begins recording CD-quality audio. Push the button again to stop. It records all the audio on a 16-GB microSD card that can hold up to eight hours of audio at a time. Those recordings can then be saved on a StoryCorps microsite or the family’s own storage. There is no cloud connection, no Wi-Fi, and no artificial intelligence features whatsoever.
The more communal element of the project is that StoryCorps will allow users to share their recordings on its website (or keep them private). Anything that has been voluntarily shared will also be physically preserved as a recording along with the larger StoryCorps collection within the US Library of Congress.
Prego is a US company, named after the Italian word for “you’re welcome.” I’ll tell you this from experience growing up in an Italian-American extended family: The Connection Keeper is going to have a hell of a time keeping track of a conversation at a table full of loud uncles and your wine-drunk grandma, who all talk at the same time.
“I think it’s how a lot of families are,” Henkin says. “What StoryCorps does is that it reminds us of our similarities and the humanity that’s in us all, even though we are all different. I imagine that if someone were to go through and listen to the collection, there would be rowdy moments, and there would be kids laughing and moms saying, ‘Don’t eat with your mouth full.’ That’s all part of the truth of it.”
War Memes Are Turning Conflict Into Content
‘It’s his superpower’: Inside Fernando Mendoza’s extraordinary rise to No. 1
US delegation ‘en route’ to Islamabad as Iran ‘positively reviews’ participation in talks
-
Fashion4 days agoFrance’s LVMH Q1 revenue falls 6%, shows resilience amid Iran war
-
Sports1 week agoThe case for Man United’s Fernandes as Premier League’s best
-
Entertainment1 week agoPalace left in shock as Prince William cancels grand ceremony
-
Business1 week agoUK could adopt EU single market rules under new legislation
-
Entertainment5 days agoIs Claude down? Here’s why users are seeing errors
-
Fashion1 week agoEnergy emerges as biggest cost driver in textile margins
-
Business1 week agoDelta Air Lines unveils first new Delta One suite in premium cabin arms race
-
Tech1 week agoA Lot of Shops Won’t Fix Electric Bikes. Here’s Why