CVE (Common Vulnerabilities and Exposures)
A CVE is a unique identifier — CVE-YYYY-NNNNN — assigned to a publicly disclosed vulnerability by a CVE Numbering Authority.
Definition
CVE stands for "Common Vulnerabilities and Exposures". It is a coordinated identifier system, maintained by MITRE under contract from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), that assigns a stable identifier — of the form `CVE-YYYY-NNNNN` — to each publicly disclosed software vulnerability. The identifier is the lingua franca of vulnerability management: a single CVE id links advisories, patches, scanner findings, and exploit tooling across vendors and tools.
CVE ids are issued by CVE Numbering Authorities (CNAs). Vendors run their own CNAs for their products (Microsoft, Google, Apple, Red Hat, etc.), and MITRE acts as the CNA of last resort for vulnerabilities not covered by a more specific authority. The full directory of CNAs lives at cve.org.
How it works
When a researcher reports a vulnerability, the affected vendor's CNA reserves a CVE id from its allocation block, attaches it to the internal tracking ticket, and publishes the id alongside the public advisory. NVD enriches the record with CVSS scoring and CWE classification within hours to days. The full JSON record is published in MITRE's cvelistV5 repository on GitHub.
Mitigation
Not applicable — CVE is an identifier scheme.
Examples
- CVE-2021-44228 (Log4Shell) — Critical RCE in Apache Log4j2.