National Vulnerability Database Shifts to Triage Model as CVE Submissions Surge 263% Amid AI-Driven Code Growth

The National Vulnerability Database (NVD) announced on April 15, 2026, that it will no longer enrich most CVEs, shifting to a triage model due to a 263% surge in submissions between 2020 and 2025. NIST will now prioritize enrichment for only 15–20% of CVEs, focusing on those in the CISA Known Exploited Vulnerabilities (KEV) catalog, U.S. federal government software, or critical infrastructure under Executive Order 14028. The volume of CVEs grew from 40,000 in 2024 to a projected 70,000 in 2026, with AI-generated code contributing to higher vulnerability density—2.7 times more than human-written code—and AI-driven bug discovery increasing reports by 200%. Recent high-profile vulnerabilities include a GitHub RCE (Whiz Research), a Linux kernel flaw (Tayang Lee) found via AI-powered tools, and "Journey Frag," which was exploited before patch release due to an embargo break. The mean time to exploit dropped to -7 days in 2026, meaning attacks often precede patches, while GitHub commits surged to 275 million weekly, driven by 36 million new developers in the past year. Three key drivers of the CVE explosion are AI-generated code, AI-accelerated vulnerability discovery, and exponential growth in code production. The video highlights concerns that AI is compressing the window between vulnerability disclosure and exploitation, outpacing patching capabilities.