2022 was a record-breaking growth year for CVE data, and I figured it would be a great way to start the new year by going through the data and highlighting some of the most interesting data points. All the data and graphs used in this blog are available in this GitHub repo.
CVEs By The Numbers
We ended 2022 with 25,093 published CVEs. On average, there were 68.75 CVEs published per day. December was the month with the most CVEs published, with 2,426 or 9.7% of all CVEs for the year. 5,414 CVEs, or 21.6% of all CVEs, were published on Tuesdays. June 2nd had the most CVEs published in a single day, with 320.
CVEs By Month
|Month||CVEs||Percentage of CVEs|
CVEs By Day Of Week
|Day||CVEs||Percentage of CVEs|
Top 10 2022 Publishing Days
|Date||CVEs||Percentage of CVEs|
Like every year since 2017, we saw a record-breaking number of CVEs published, with 25,093, a 24.51% increase over 2021. It also means that 13.06% of all CVEs published were published in the previous year.
A somewhat confusing part of CVE IDs can be the year identifier. It is often assumed that the year represents when a CVE is published, but it represents when it was assigned or when the vulnerability was made public.
I say all that to point out that the “oldest” CVEs published this year belong to BlackICE PC Protection, 20 years after they were made public:
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score from 0.0 to 10.0, reflecting its severity. The average CVSS score this year was 7.19.
This year 48 CVEs scored a “perfect” 10.0.
CVE-2022-27049, a vulnerability in RaidDrive, had the lowest score of 2.0.
Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages to help identify vulnerable software identified in a CVE.
This year there were 2,815 unique CPEs identified in CVEs. The most common was
cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:* that was applied to 299 CVEs
CVE Numbering Authorities (CNAs) are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their specific scopes of coverage.
Today there are 261 CNAs. In 2022, 200 unique assigners published a minimum of 1 CVE. To make this confusing, 109 CNAs did not publish a CVE this year, and 83 CNAs not listed as an assigner published at least one CVE.
Four of the top five CNAs this year, excluding Microsoft, were purpose-built to report CVEs for various projects.
CWE is a community-developed list of software and hardware weakness types. It is a common language, a measuring stick for security tools, and a baseline for weakness identification, mitigation, and prevention efforts.
There are 1332 CWEs, and this year, 236 were assigned to CVEs. CWE-79 was the most assigned CWE and was assigned 3230 times or to 12.88% of all CVEs. NVD didn’t assign a CWE 2835 times or to 11.30% of all CVEs.
- All data and graphs for this blog post were created using the jupyter notebooks in the GitHub Repo.
- Rejected CVEs have been removed from the dataset because some CNAs publish and reject any unused reserved CVE IDs causing an artificially inflated record count.
- CVE.ICU is a jupyterbook site that I run that has real-time CVE information throughout the year.