CVE — Common Vulnerabilities and Exposures
CVE (Common Vulnerabilities and Exposures) is a globally recognized system for identifying and naming cybersecurity vulnerabilities. Each vulnerability receives a unique CVE-ID (e.g., CVE-2024-3094) that allows security teams, manufacturers, and regulators to unambiguously reference the same vulnerability. Under the EU Cyber Resilience Act, CVE monitoring is essential for meeting the 24-hour vulnerability reporting obligation to ENISA.
Key Facts
| Detail | Information |
|---|---|
| Full name | Common Vulnerabilities and Exposures |
| Maintained by | MITRE Corporation (U.S., funded by CISA) |
| ID format | CVE-YYYY-NNNNN (year + sequential number) |
| Total CVEs published | ~240,000+ (as of early 2026) |
| New CVEs per year | ~25,000—30,000 (accelerating) |
| Public database | cve.org |
| Enrichment database | NVD (National Vulnerability Database) — adds CVSS scores, CPE matches |
| EU equivalent | ENISA maintains EU Vulnerability Database (mandated by NIS2) |
How CVEs Work
Lifecycle of a Vulnerability
+----------------------------------------------------+
— 1. DISCOVERY —
— Researcher / vendor / attacker finds vulnerability —
+----------------------------------------------------+
?
+----------------------------------------------------+
— 2. CVE ASSIGNMENT —
— CNA (CVE Numbering Authority) assigns CVE-ID —
— Reserved but not yet public —
+----------------------------------------------------+
?
+----------------------------------------------------+
— 3. PUBLICATION —
— CVE record published on cve.org —
— Includes: description, references, affected products—
+----------------------------------------------------+
?
+----------------------------------------------------+
— 4. NVD ENRICHMENT —
— NVD adds: CVSS score, CPE matches, CWE category —
— Appears in automated scanning tools —
+----------------------------------------------------+
?
+----------------------------------------------------+
— 5. REMEDIATION —
— Vendor releases patch / firmware update via OTA —
— Product SBOM updated to reflect fixed versions —
+-----------------------------------------------------+CVSS Severity Scoring
Each CVE receives a CVSS (Common Vulnerability Scoring System) score indicating severity:
| CVSS Score | Severity | Example Impact |
|---|---|---|
| 9.0—10.0 | Critical | Remote code execution, complete device takeover |
| 7.0—8.9 | High | Privilege escalation, authentication bypass |
| 4.0—6.9 | Medium | Information disclosure, denial of service |
| 0.1—3.9 | Low | Minor information leak, theoretical exploit |
Why CVEs Matter for Hardware Manufacturers
CRA Vulnerability Reporting
The CRA creates a direct link between CVE monitoring and legal obligations:
| CRA Requirement | CVE Connection |
|---|---|
| 24-hour ENISA notification | Triggered when a CVE affecting your product is actively exploited |
| No known vulnerabilities at shipment | All CVEs matching your SBOM components must be patched before market placement |
| 5-year vulnerability management | CVE monitoring must continue for the product’s entire support lifetime |
| OTA updates | CVE-triggered patches must be delivered to deployed devices |
The SBOM—CVE Connection
Your product’s SBOM is the key to automated CVE monitoring:
| SBOM Component | CVE Risk Example |
|---|---|
| FreeRTOS 10.4.3 | CVE-2021-31571 — buffer overflow in TCP/IP stack |
| mbedTLS 2.28.0 | CVE-2023-43615 — certificate validation bypass |
| lwIP 2.1.3 | CVE-2023-36321 — denial of service via malformed packet |
| U-Boot 2023.04 | CVE-2024-xxxxx — secure boot bypass via crafted image |
| Linux kernel 5.15 | Hundreds of CVEs per year — continuous monitoring essential |
The automated pipeline: SBOM ? CPE matching ? CVE database lookup ? severity filtering ? ENISA report generation ? OTA patch deployment. This is what our SBOM Monitoring Service provides.
CVE Monitoring for Embedded Products
Challenges Specific to Embedded/IoT
| Challenge | Description |
|---|---|
| Long deployment cycles | IoT devices deployed for 10—15 years; CVEs accumulate over time |
| Constrained resources | Devices may lack bandwidth/storage for frequent patches |
| Component lag | Embedded vendors often use older versions of open-source components |
| Custom BSP | Board Support Packages from silicon vendors may contain untracked components |
| Nested dependencies | Transitive dependencies (deps of deps) are often not in the SBOM |
| No centralized updater | Unlike mobile OS, each manufacturer manages their own update pipeline |
Recommended Monitoring Workflow
- Generate SBOM at build time (SPDX or CycloneDX format).
- Map components to CPE identifiers for NVD database matching.
- Continuous CVE scanning — automated daily or real-time checks against NVD/EPSS feeds.
- Risk-based triage — prioritize by CVSS score — EPSS (Exploit Prediction Scoring System) — product exposure.
- Patch or mitigate — deliver fixes via OTA update or publish mitigation guidance.
- Report to ENISA — if actively exploited, trigger 24h/72h/14d reporting workflow.
Related Terms
- SBOM — The component inventory that enables automated CVE matching.
- ENISA — The EU agency that receives vulnerability reports triggered by CVEs.
- CRA — The regulation mandating CVE monitoring and vulnerability management.
- OTA Update — The delivery mechanism for CVE-triggered security patches.
Official References
- CVE Program — MITRE Corporation — MITRE (CVE database and numbering authority)
- National Vulnerability Database (NVD) — NIST (enriched CVE data with CVSS scores)