CVE ID Syntax Change (Archived)
CVE IDs can now have four or more digits in the sequence number portion of the ID. The CVE ID Syntax Change took effect on January 1, 2014, and CVE IDs using the new syntax were first issued on January 13, 2015.
The Distributed Weakness Filing (DWF) CNA is now actively assigning CVE IDs with seven digits, as of May 24, 2016.
Please ensure that your products, tools, websites, and processes are updated for the new syntax or they may not work properly.
Learn more:
- New CVE ID Format
- DWF CNA Using Seven Digit CVE IDs
- First CVE IDs Issued in New Numbering Format Now Available
- Technical Guidance & Test Data
- Background
- Q&A
- Organizations Compliant with the New CVE ID Syntax
- Help/Contact us
Summary
Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project should change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The old CVE Identifier (CVE ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supported a maximum of 9,999 unique identifiers per year, requiring the change. The new CVE ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.
Implementation Date Deadline
The CVE ID Syntax Change took effect on January 1, 2014. CVE ID using the new syntax were issued beginning on January 13, 2015. See "First CVE IDs Issued in New Numbering Format Now Available" on the CVE News page, and "CVE IDs Posted Today for the First Time Using the New ID Syntax" on the CVE Editor's Commentary page, for additional information.
New CVE ID Syntax
The new CVE ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
IMPORTANT: CVE IDs can now have four (4) or more digits in the sequence number portion of the ID. For example, CVE-YYYY-NNNN with 4 digits in the sequence number, CVE-YYYY-NNNNN with 5 digits in the sequence number, CVE-YYYY-NNNNNNN with 7 digits in the sequence number, and so on. This also means there will be no changes needed to previously assigned CVE IDs, which all include 4 digits.
Examples
Examples of identifiers in the new CVE ID syntax are included below. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below.
| IDs with 4 digits | IDs with 5 digits | IDs with 6 digits | IDs with 7 digits |
|---|---|---|---|
| CVE-2014-0001 | CVE-2014-10000 | CVE-2014-100000 | CVE-2014-1000000 |
| CVE-2014-3127 | CVE-2014-54321 | CVE-2014-456132 | CVE-2014-7654321 |
| CVE-2014-9999 | CVE-2014-99999 | CVE-2014-999999 | CVE-2014-9999999 |
NOTE: Some of the CVE ID examples above have not yet been assigned.
Status of Previously Assigned CVE IDs
All previously assigned CVE IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.
How to Prepare for the New CVE ID Syntax
The CVE ID syntax change will affect all users of CVE. Every type of CVE consumer, whether a vendor, CVE Numbering Authority (CNA), researcher, end user, etc., will need to consider the syntax change for the following CVE-related actions:
- Output Format — CVE IDs can be more than 13 characters wide (the length of a 4-digit
CVE ID), which could affect how CVEs are stored and presented in table columns, web pages, reports, databases, data feeds, XML documents, or other formats.
Also, because the number of digits can vary, CVE IDs might not be sorted in the expected order, e.g., CVE-2014-12345 might be sorted before CVE-2014-9999, which could make it appear to be more recent than CVE-2014-9999. - Input Format — Mechanisms that directly accept CVE IDs as input, such as a search routine or data feed, may need to be modified to accept the longer IDs. For example, an input routine might incorrectly report an error if it receives a CVE ID with 5 digits.
- Extraction or Parsing — Automated processes that detect the use of CVE IDs in unstructured text, e.g., a vulnerability advisory, might need to be modified to remove the 4-digit assumption.
End users should ask your vendors and/or service providers if they have updated, or when they are planning to update, their products/services to the new CVE ID syntax.
Please note that the set of categories of action above is neither complete nor authoritative, and this guidance may grow in the future. In the meantime, if you have suggestions for this list, please contact us at cve@mitre.org.
Technical Guidance and Test Data
For technical guidance and test data for developers and consumers for tools, websites, and other capabilities that use CVE Identifiers (CVE IDs), please see the following:
Background
New CVE ID Syntax Determined by CVE Editorial Board
Following periods of public feedback and discussion, the new CVE ID syntax was determined in a final vote by the CVE Editorial Board in May 2013, details of which are available in the CVE Editorial Board Discussion List Archives.
Two rounds of voting were required, as the initial vote held by the Board in April 2013 among three proposed options resulted in a tie between the two of the options (learn more about the original three options). A second vote was then held in May 2013 with only two options, a slightly modified Option A that extended the available numbering space to 8 fixed digits and the unchanged Option B with variable length digits (learn more about the final two options).
In the second vote the CVE Editorial Board selected "Option B, CVE prefix + Year + Arbitrary Digits" with 15 of the 18 votes cast.
Archived CVE Editorial Board Votes and Discussions
Links to additional information about the syntax change and Board discussion and voting are included below.
News page and blog articles
- First CVE IDs Issued in New Numbering Format Now Available, January 13, 2015
- CVE IDs Posted Today for the First Time Using the New ID Syntax, CVE Editor's Commentary blog, January 13, 2015
- "FINAL NOTICE: CVE ID in New Numbering Format with 5 Digits to Be Assigned Within Weeks," November 20, 2014
- "REMINDER: Deadline for Compliance with New CVE ID Numbering Format Rapidly Approaching," November 5, 2014
- "Numerous News Articles Posted about Upcoming CVE ID Syntax Compliance Deadline," September 25, 2014
- "Several Organizations Announce Compliance with New CVE ID Format in Advance of Upcoming Deadline," September 17, 2014
- "MITRE Issues Press Release about Upcoming CVE ID Syntax Compliance Deadline," September 17, 2014
- "Reminder to Update Products, Services, and Processes to the New CVE ID Numbering Format," July 30, 2014
- "Technical Guidance for Handling the New CVE ID Syntax Now Available," February 21, 2014
- "New CVE ID Format in Effect as of January 1, 2014," January 15, 2014
- "CVE ID Syntax Change Voting Results," July 17, 2013
- "Status Update on the CVE ID Syntax Change," May 3, 2013
- "Call for Public Feedback on Upcoming CVE ID Syntax Change," January 24, 2013
CVE Editorial Board discussions
- Posts:
- CVE ID Issuance Strategies Using the New ID Syntax, June 18, 2013
- Second Round CVE ID Syntax vote declared valid, June 6, 2013
- CVE ID Syntax change — Round two vote results and comments, May 23, 2013
- Second round of discussion and voting for new CVE ID Syntax, April 30, 2013
- CVE ID Syntax Change CVE Editorial Board Voting and Procedures, March 26, 2013
- CVE ID Syntax Change — Call for Public Feedback, January 22, 2013
- Archives
by month:
- Post-Vote and Implementation Planning Discussion Archive, June 2013
- Round #2 Discussion and Voting Archive, May 2013
- Round #1 Discussion and Voting Archive, April 2013
- Pre-Vote Planning Discussion Archive, March 2013
- Pre-Vote Planning Discussion Archive, February 2013
- Pre-Vote Planning Discussion Archive, January 2013
Q&A
Answers to frequently asked questions about the syntax change are included below.
Why is the CVE ID Syntax changing? Why is it important?
The CVE Identifier (CVE ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year. Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project needed to change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year.
The new CVE ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.
Also see CVE ID Syntax Change, Technical Guidance for Handling the New CVE ID Syntax, and Organizations Compliant with the New CVE ID Syntax.
When did the CVE ID Syntax Change take effect:
The CVE ID Syntax Change took effect on January 1, 2014, and CVE IDs using the new syntax were first issued on January 13, 2015. The Distributed Weakness Filing (DWF) CNA is now actively assigning CVE IDs with seven digits, as of May 24, 2016.
What is the new CVE ID Syntax?
The new CVE ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
CVE IDs can now have 4 or more digits in the sequence number portion of the ID. For example, CVE-YYYY-NNNN with 4 digits in the sequence number, CVE-YYYY-NNNNN with 5 digits in the sequence number, CVE-YYYY-NNNNNNN with 7 digits in the sequence number, and so on.
NOTE: This also means there will be no changes needed to previously assigned CVE IDs, which all include 4 digits.
What are some examples of the new CVE ID Syntax?
See New CVE ID Syntax.
Will older already assigned CVE IDs need to be updated to the new syntax?
No, all previously assigned CVE IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.
How will the CVE ID Syntax Change affect me? What should I do to prepare?
See How to Prepare for the New CVE ID Syntax.
How was the new CVE ID syntax determined?
See New CVE ID Syntax Determined by CVE Editorial Board.
Is there more detailed information available about the CVE ID Syntax Change?
See Technical Guidance for Handling the New CVE ID Syntax.
I have a follow-up question about the CVE ID Syntax Change that is not answered here, how do I contact the CVE Team?
Please send any additional questions to cve@mitre.org.
Has CVE published CVE IDs in the new format?
Yes, beginning in January 2015 CVE posted CVE IDs in the new numbering format with 5 and 6 digits in the sequence number portions of the IDs. In May 2016, the Distributed Weakness Filing (DWF) CVE Numbering Authority (CNA) began actively posting CVE IDs with 7 digits.
See "First CVE IDs Issued in New Numbering Format Now Available" and "DWF CNA Using Seven Digit CVE IDs" for additional information.
Help
Please address any questions to cve@mitre.org.
