CVE ID Syntax Change

CVE IDs can now have four or more digits in the sequence number portion of the ID. The CVE ID Syntax Change took effect on January 1, 2014, and CVE IDs using the new syntax were first issued on January 13, 2015.

The Distributed Weakness Filing (DWF) CNA is now actively assigning CVE IDs with seven digits, as of May 24, 2016.

Please ensure that your products, tools, websites, and processes are updated for the new syntax or they may not work properly.

Learn more:

Summary

Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project should change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The old CVE Identifier (CVE ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supported a maximum of 9,999 unique identifiers per year, requiring the change. The new CVE ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.

Implementation Date Deadline

The CVE ID Syntax Change took effect on January 1, 2014. CVE ID using the new syntax were issued beginning on January 13, 2015. See "First CVE IDs Issued in New Numbering Format Now Available" on the CVE News page, and "CVE IDs Posted Today for the First Time Using the New ID Syntax" on the CVE Editor's Commentary page, for additional information.

New CVE ID Syntax

The new CVE ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

IMPORTANT: CVE IDs can now have four (4) or more digits in the sequence number portion of the ID. For example, CVE-YYYY-NNNN with 4 digits in the sequence number, CVE-YYYY-NNNNN with 5 digits in the sequence number, CVE-YYYY-NNNNNNN with 7 digits in the sequence number, and so on. This also means there will be no changes needed to previously assigned CVE IDs, which all include 4 digits.
Click to view the full-size image

Enlarge or Download & Share

Examples

Examples of identifiers in the new CVE ID syntax are included below. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below.

IDs with 4 digits IDs with 5 digits IDs with 6 digits IDs with 7 digits
CVE-2014-0001 CVE-2014-10000 CVE-2014-100000 CVE-2014-1000000
CVE-2014-3127 CVE-2014-54321 CVE-2014-456132 CVE-2014-7654321
CVE-2014-9999 CVE-2014-99999 CVE-2014-999999 CVE-2014-9999999

NOTE: Some of the CVE ID examples above have not yet been assigned.

Status of Previously Assigned CVE IDs

All previously assigned CVE IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.

How to Prepare for the New CVE ID Syntax

The CVE ID syntax change will affect all users of CVE. Every type of CVE consumer, whether a vendor, CVE Numbering Authority (CNA), researcher, end user, etc., will need to consider the syntax change for the following CVE-related actions:

End users should ask your vendors and/or service providers if they have updated, or when they are planning to update, their products/services to the new CVE ID syntax.

Please note that the set of categories of action above is neither complete nor authoritative, and this guidance may grow in the future. In the meantime, if you have suggestions for this list, please contact us at cve@mitre.org.

Technical Guidance and Test Data

For technical guidance and test data for developers and consumers for tools, websites, and other capabilities that use CVE Identifiers (CVE IDs), please see the following:

Background

New CVE ID Syntax Determined by CVE Editorial Board

Following periods of public feedback and discussion, the new CVE ID syntax was determined in a final vote by the CVE Editorial Board in May 2013, details of which are available in the CVE Editorial Board Discussion List Archives.

Two rounds of voting were required, as the initial vote held by the Board in April 2013 among three proposed options resulted in a tie between the two of the options (learn more about the original three options). A second vote was then held in May 2013 with only two options, a slightly modified Option A that extended the available numbering space to 8 fixed digits and the unchanged Option B with variable length digits (learn more about the final two options).

In the second vote the CVE Editorial Board selected "Option B, CVE prefix + Year + Arbitrary Digits" with 15 of the 18 votes cast.

Archived CVE Editorial Board Votes and Discussions

Links to additional information about the syntax change and Board discussion and voting are included below.

News page and blog articles

CVE Editorial Board discussions

Q&A

Answers to frequently asked questions about the syntax change are included below.

Why is the CVE ID Syntax changing? Why is it important?

The CVE Identifier (CVE ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year. Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project needed to change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year.

The new CVE ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.

Also see CVE ID Syntax Change, Technical Guidance for Handling the New CVE ID Syntax, and Organizations Compliant with the New CVE ID Syntax.

When did the CVE ID Syntax Change take effect:

The CVE ID Syntax Change took effect on January 1, 2014, and CVE IDs using the new syntax were first issued on January 13, 2015. The Distributed Weakness Filing (DWF) CNA is now actively assigning CVE IDs with seven digits, as of May 24, 2016.

What is the new CVE ID Syntax?

The new CVE ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

CVE IDs can now have 4 or more digits in the sequence number portion of the ID. For example, CVE-YYYY-NNNN with 4 digits in the sequence number, CVE-YYYY-NNNNN with 5 digits in the sequence number, CVE-YYYY-NNNNNNN with 7 digits in the sequence number, and so on.

NOTE: This also means there will be no changes needed to previously assigned CVE IDs, which all include 4 digits.

What are some examples of the new CVE ID Syntax?

See New CVE ID Syntax.

Will older already assigned CVE IDs need to be updated to the new syntax?

No, all previously assigned CVE IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.

How will the CVE ID Syntax Change affect me? What should I do to prepare?

See How to Prepare for the New CVE ID Syntax.

How was the new CVE ID syntax determined?

See New CVE ID Syntax Determined by CVE Editorial Board.

Is there more detailed information available about the CVE ID Syntax Change?

See Technical Guidance for Handling the New CVE ID Syntax.

I have a follow-up question about the CVE ID Syntax Change that is not answered here, how do I contact the CVE Team?

Please send any additional questions to cve@mitre.org.

Has CVE published CVE IDs in the new format?

Yes, beginning in January 2015 CVE posted CVE IDs in the new numbering format with 5 and 6 digits in the sequence number portions of the IDs. In May 2016, the Distributed Weakness Filing (DWF) CVE Numbering Authority (CNA) began actively posting CVE IDs with 7 digits.

See "First CVE IDs Issued in New Numbering Format Now Available" and "DWF CNA Using Seven Digit CVE IDs" for additional information.

Help

Please address any questions to cve@mitre.org.

Page Last Updated or Reviewed: September 13, 2016