Vulnerabilities within the NVD are derived from the CVE List which is maintained by processes upstream of the NVD. A common line of inquiry we receive is the about the difference between CVE statuses from the CVE program and the statuses assigned to vulnerabilities within the NVD. This page provides information regarding both sets of statuses and how they relate to each other.
CVE List Statuses
This table shows the CVE List statuses and what they mean, this information is derived from the CVE Program FAQs .
|CVE List Status||Description|
|RESERVED||A CVE Entry is marked as "RESERVED" when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet populated. A CVE Entry can change from the RESERVED state to being populated at any time based on a number of factors both internal and external to the CVE List.|
|PUBLISHED||The CVE Entry is populated with details. These are a CVE Description and reference link[s] regarding details of the CVE.|
When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Entry assigned to that issue may be designated as being "DISPUTED". In these cases, CVE is making no determination as to which party is correct. Instead, we make note of this dispute and try to offer any public references that will better inform those trying to understand the facts of the issue.
When you see a CVE Entry that is "DISPUTED", we encourage you to research the issue through the references or by contacting the affected vendor or developer for more information.
A CVE Entry listed as "REJECT" is a CVE Entry that is not accepted as a CVE Entry. The reason a CVE Entry is marked REJECT will most often be stated in the description of the CVE Entry. Possible examples include it being a duplicate CVE Entry, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason.
As a rule, REJECT CVE Entries should be ignored.
This table shows the NVD statuses and what they mean.
|Received||CVE has been recently published to the CVE List and has been received by the NVD.|
|Awaiting Analysis||CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.|
|Undergoing Analysis||CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.|
|Analyzed||CVE has had analysis completed and all data associations made. Each Analysis has three sub-types, Initial, Modified and Reanalysis. Analyzed CVEs do not show a banner on the vulnerability detail page.
|Modified||CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.|
|Deferred||When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.|
|Rejected||CVE has been marked as "**REJECT**" in the CVE List. These CVEs are stored in the NVD, but do not show up in search results.|
CVE List and NVD Status Comparison
This table shows how the statuses from each organization relate to each other.
|CVE List Status||NVD Status|
|RESERVED||CVE not present in NVD|
NVD Status Workflow Diagram
The workflow depicted below shows when a CVE status can change and whether it occurs by NVD staff decisions or changes to the CVE List information