Warning – CVE-ID Syntax Change the 01.13.15

New syntax about the CVE allocation name

cve-idsDon’t forget, in few days we will need to change CVE syntax about Vulnerability declaration form. Check your system is compliant (IDS, IPS…)

CVE has a new ID numbering format for CVE Identifiers (i.e., CVE-IDs) that requires organizations to take action to ensure their products, tools, websites, and processes continue to work properly once CVE-ID numbers are issued using the new syntax before the end of 2014 and no later than Tuesday, January 13, 2015. All informations are available on mitre Web Site.

Source : http://cve.mitre.org


Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project should change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The old CVE Identifier (CVE-ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supported a maximum of 9,999 unique identifiers per year, requiring the change. The new CVE-ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.

Implementation Date Deadline

The CVE-ID Syntax Change took effect on January 1, 2014.

BE PREPARED: A CVE-ID number using the new syntax could be issued before the end of 2014, but if not we will ensure that at least one 5-digit CVE-ID is issued by January 13, 2015.

New CVE-ID Syntax

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

IMPORTANT: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.
Enlarge or Download & Share

Examples of identifiers in the new CVE-ID syntax are included below. Note that the arbitrary digits may be expanded from 4 digits when needed, but only IDs with up to 7 digits are shown below to help explain the new syntax. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below.

  • IDs with 4 digits
  • IDs with 5 digits (when needed)
  • IDs with 6 digits (when needed)
  • IDs with 7 digits(when needed)
  • CVE-2014-0001
  • CVE-2014-10000
  • CVE-2014-100000
  • CVE-2014-1000000
  • CVE-2014-3127
  • CVE-2014-54321
  • CVE-2014-456132
  • CVE-2014-7654321
  • CVE-2014-9999
  • CVE-2014-99999
  • CVE-2014-999999
  • CVE-2014-9999999

NOTE: Some of the CVE-ID examples above have not yet been assigned.

Status of Previously Assigned CVE-IDs
All previously assigned CVE-IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE-ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.
How to Prepare for the New CVE-ID Syntax
The CVE-ID syntax change will affect all users of CVE. Every type of CVE consumer, whether a vendor, CVE Numbering Authority (CNA), researcher, end user, etc., will need to consider the syntax change for the following CVE-related actions:

Output Format — CVE-IDs can be more than 13 characters wide (the length of a 4-digit CVE-ID), which could affect how CVEs are stored and presented in table columns, web pages, reports, databases, data feeds, XML documents, or other formats.

Also, because the number of digits can vary, CVE-IDs might not be sorted in the expected order, e.g., CVE-2014-12345 might be sorted before CVE-2014-9999, which could make it appear to be more recent than CVE-2014-9999.
Input Format — Mechanisms that directly accept CVE IDs as input, such as a search routine or data feed, may need to be modified to accept the longer IDs. For example, an input routine might incorrectly report an error if it receives a CVE-ID with 5 digits.
Extraction or Parsing — Automated processes that detect the use of CVE-IDs in unstructured text, e.g., a vulnerability advisory, might need to be modified to remove the 4-digit assumption.
End users should ask your vendors and/or service providers if they have updated, or when they are planning to update, their products/services to the new CVE-ID syntax.

New CVE-ID Syntax Determined by CVE Editorial Board

Following periods of public feedback and discussion, the new CVE-ID syntax was determined in a final vote by the CVE Editorial Board in May 2013, details of which are available in the CVE Editorial Board Discussion List Archives.

Two rounds of voting were required, as the initial vote held by the Board in April 2013 among three proposed options resulted in a tie between the two of the options (learn more about the original three options). A second vote was then held in May 2013 with only two options, a slightly modified Option A that extended the available numbering space to 8 fixed digits and the unchanged Option B with variable length digits (learn more about the final two options).

In the second vote the CVE Editorial Board selected “Option B, CVE prefix + Year + Arbitrary Digits” with 15 of the 18 votes cast.