CVE-ID Syntax Change

CVE has a new ID numbering format for CVE Identifiers (i.e., CVE-IDs) that requires organizations to take action to ensure their products, tools, websites, and processes continue to work properly once CVE-ID numbers are issued using the new syntax before the end of 2014.

Learn more:

Summary

Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project should change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The old CVE Identifier (CVE-ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supported a maximum of 9,999 unique identifiers per year, requiring the change. The new CVE-ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.

Implementation Date

The CVE-ID Syntax Change took effect on January 1, 2014.

New CVE-ID Syntax

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

IMPORTANT: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.

Examples

Examples of identifiers in the new CVE-ID syntax are included below. Note that the arbitrary digits may be expanded from 4 digits when needed, but only IDs with up to 7 digits are shown below to help explain the new syntax. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below.

IDs with 4 digits IDs with 5 digits (when needed) IDs with 6 digits (when needed) IDs with 7 digits (when needed)
CVE-2014-0001 CVE-2014-10000 CVE-2014-100000 CVE-2014-1000000
CVE-2014-3127 CVE-2014-54321 CVE-2014-456132 CVE-2014-7654321
CVE-2014-9999 CVE-2014-99999 CVE-2014-999999 CVE-2014-9999999

NOTE: Some of the CVE-ID examples above have not yet been assigned.

Status of Previously Assigned CVE-IDs

All previously assigned CVE-IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE-ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.

How to Prepare for the New CVE-ID Syntax

The CVE-ID syntax change will affect all users of CVE. Every type of CVE consumer, whether a vendor, CVE Numbering Authority (CNA), researcher, end user, etc., will need to consider the syntax change for the following CVE-related actions:

  • Output Format — CVE-IDs can be more than 13 characters wide (the length of a 4-digit CVE-ID), which could affect how CVEs are stored and presented in table columns, web pages, reports, databases, data feeds, XML documents, or other formats.
  • Input Format — Mechanisms that directly accept CVE IDs as input, such as a search routine or data feed, may need to be modified to accept the longer IDs. For example, an input routine might incorrectly report an error if it receives a CVE-ID with 5 digits.
  • Extraction or Parsing — Automated processes that detect the use of CVE-IDs in unstructured text, e.g., a vulnerability advisory, might need to be modified to remove the 4-digit assumption.

End users should ask your vendors and/or service providers if they have updated, or when they are planning to update, their products/services to the new CVE-ID syntax.

Please note that the set of categories of action above is neither complete nor authoritative, and this may guidance grow in the coming months so please check back often. In the meantime, if you have suggestions for this list, please contact us at cve-id-change@mitre.org.

Technical Guidance and Test Data

For technical guidance and test data for developers and consumers for tools, web sites, and other capabilities that use CVE Identifiers (CVE-IDs), please see the Technical Guidance for Handling the New CVE-ID Syntax page.

Background

New CVE-ID Syntax Determined by CVE Editorial Board

Following periods of public feedback and discussion, the new CVE-ID syntax was determined in a final vote by the CVE Editorial Board in May 2013, details of which are available in the CVE Editorial Board Discussion List Archives.

Two rounds of voting were required, as the initial vote held by the Board in April 2013 among three proposed options resulted in a tie between the two of the options (learn more about the original three options). A second vote was then held in May 2013 with only two options, a slightly modified Option A that extended the available numbering space to 8 fixed digits and the unchanged Option B with variable length digits (learn more about the final two options).

In the second vote the CVE Editorial Board selected "Option B, CVE prefix + Year + Arbitrary Digits" with 15 of the 18 votes cast.

Archived CVE Editorial Board Votes and Discussions

Links to additional information about the syntax change and Board discussion and voting are included below.

News page articles

CVE Editorial Board discussions

Q&A

The questions below link to answers on the Frequently Asked Questions (FAQs) page of the CVE Web site.

Help

Please address any questions to cve-id-change@mitre.org.

 
Page Last Updated: July 30, 2014