CVE Program Status Update
The Distributed Weakness Filing (DWF) CNA (established May 24, 2016), makes CVE assignments using seven digit numbers as a way of initially differentiating between DWF assignments and other CNA assignments. The CVE Program wants to make the community aware of this so that the community is prepared to deal with these larger number series in their infrastructures. The CVE syntax change allowing seven digits went into effect on January 1, 2015 (CVE-ID Syntax Change). We are posting this message to the community because we realize it is important to communicate when those additional digits are being used.

If you have any questions, please reach out to

CVE® International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Widespread Use of CVE
Focus On

CVE Numbering Authorities (CNAs)

CNAs are the main method for requesting a CVE-ID number.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The following 25 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

A message about turnaround times for requesting CVE-ID numbers from MITRE is posted above. For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

Page Last Updated: August 18, 2016