gbhackers.comArchived Mar 18, 2026✓ Full text saved
China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline gbhackers.com
Full text archived locally
✦ AI Summary· Claude Sonnet
China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline
cyber securityCyber Security NewsVulnerability
3 min.Read
China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline
By Mayura Kathir
February 19, 2026
Share
Facebook
Twitter
Pinterest
WhatsApp
Beyond CVE, China’s dual vulnerability databases, CNVD and CNNVD, show that vulnerability disclosure is not a single, global, unified process but a set of parallel systems with different rules, incentives, and timelines.
China runs two national vulnerability databases: CNNVD, operated under the Ministry of State Security, and CNVD, operated by CNCERT as a defender‑focused coordination platform.
While both catalog software and hardware flaws use their own IDs, schemas, and categorizations instead of fully adopting Western standards such as CWE and CPE.
CNNVD closely shadows CVE and NVD and historically has contained slightly more entries than US‑maintained datasets over certain time ranges, while CNVD is smaller and more uneven in its coverage.
Both systems include a CVE field, but they do not systematically cross‑reference each other, which complicates correlation and automation work for defenders.
China also regulates vulnerability handling via the “Provisions on the Management of Network Product Security Vulnerabilities” issued in July 2021 and in force since September 2021.
The regulation forces vendors and operators to report vulnerabilities to authorities, patch them promptly, and retain logs, while imposing conditions on public disclosure.
Both CNNVD and CNVD require account creation, email verification, and logins to access data.
Logins for CNNVD and CNVD (Source : BITSIGHT).
It explicitly restricts publishing exploit code, forbids exaggerating severity, and requires coordination with state agencies, a sharp contrast to the more voluntary, researcher‑led disclosure norms common around CVE and NVD.
China’s Parallel CVE Systems
While XML is not my preferred document based data format, it can be parsed like any other. However, errors in the entries in both databases mean that simply asking your favorite XML engine to parse the data.
Growth of CNVD and CNNVD from earliest publication date (Source : BITSIGHT).
Studies comparing the databases show that CNNVD has only a relatively small subset of entries without a CVE mapping, on the order of ten thousand out of well over a hundred thousand total vulnerabilities.
Where CVE and NVD provide richer structured data CVSS, CWE, and more mature affected‑product modeling the Chinese databases tend to provide simpler categorical severity and free‑text descriptions.
Under the surface, however, a small but important set of vulnerabilities appears in CNNVD and CNVD well before they are recorded as published in CVE or NVD, sometimes by several months.
There are two other structured and easily analyzable fields in CNVD: the open and submission times. These are, presumably, when the vulnerability was first submitted to the database and when it was finally published.
Arcs of delays between open and submission times when the delay is more than a week (Source : BITSIGHT).
In a few cases, researchers have identified Chinese entries that either never gained a corresponding public CVE or that relate to products and vendors with little presence in Western markets, suggesting that some exposures tracked in China remain under‑represented in Western datasets.
These quality problems, combined with manual web‑based exports modern APIs, make large‑scale ingestion and correlation harder than with NVD, even when the underlying vulnerability set is similar.
What 2026 Might Look Like
The 2021 Chinese regulations have influenced what gets published and when, especially around entries that lack CVE mappings.
At the same time, hygiene issues are visible on the Chinese side as well. Analyses report malformed or mismatched CVE identifiers, inconsistent dates, and missing or misaligned severity scores in CNVD and CNNVD feeds.
Severity of vulnerabilities relative to their publication time(Source : BITSIGHT).
Researchers have observed shifts in the rate at which non‑CVE vulnerabilities are exposed in CNVD and CNNVD around and after the policy date, with some evidence that CNNVD in particular slowed publication of non‑mapped vulnerabilities for a period before increasing output again more recently.
This pattern is consistent with a tightening of state control over what vulnerability information becomes public, and when, rather than a purely organic evolution of a community‑driven database.
For defenders and analysts heading into 2026, the lesson is twofold. First, relying solely on CVE and NVD risks missing context, timing differences, and region‑specific exposures that show up first or only in foreign national databases such as CNNVD and CNVD.
Second, despite recent strains on the NVD and the CVE program standardized , Western infrastructure still offers more machine‑readable, and transparent data than what is officially exposed from China, especially around CVSS, CWE, and derived frameworks like KEV lists and probabilistic exploit scoring.
In a world of competing disclosure regimes, the real advantage goes to teams that can fuse these disparate feeds, normalize their quirks, and reason about the gaps between them.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
TagsCYBER SECURITYCYBER SECURITY NEWSVULNERABILITY
Mayura Kathir
https://gbhackers.com/
Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.
Hot this week
Infosec- Resources
How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities
SOC Architecture
How to Build and Run a Security Operations Center (SOC Guide) – 2023
Cyber Security News
Network Penetration Testing Checklist – 2025
Cyber Security News
Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
Checklist
Web Server Penetration Testing Checklist – 2026
Topics
AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareAntispoofingANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramMore
Press Release
Orchid Security Recognized by Gartner® as a Representative Vendor of Guardian Agents
Press Release
GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secrets Hit Public GitHub
cyber security
Iranian Hackers Use Compromised Cameras for Regional Surveillance
Bluetooth
Windows 11 25H2/24H2 Update Addresses Bluetooth Device Visibility Issues
cyber security
Google Warns Ransomware Groups Shift to Data Theft as Profits Decline
Cyber Security News
Microsoft Launches AI-Driven Troubleshooting for Purview Data Lifecycle Tools
CVE/vulnerability
Angular XSS Vulnerability Threatens Thousands of Web Applications
cyber security
Glassworm Malware Infects Popular React Native npm Packages
Related Articles
Iranian Hackers Use Compromised Cameras for Regional Surveillance
Cyber Security March 17, 2026
Windows 11 25H2/24H2 Update Addresses Bluetooth Device Visibility Issues
Bluetooth March 17, 2026
Google Warns Ransomware Groups Shift to Data Theft as Profits Decline
Cyber Security March 17, 2026
Microsoft Launches AI-Driven Troubleshooting for Purview Data Lifecycle Tools
Cyber Security News March 17, 2026
Angular XSS Vulnerability Threatens Thousands of Web Applications
CVE/Vulnerability March 17, 2026
Recent News
Orchid Security Recognized by Gartner® as a Representative Vendor of Guardian Agents
CyberNewswire - March 17, 2026
GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secrets Hit Public GitHub
CyberNewswire - March 17, 2026
Iranian Hackers Use Compromised Cameras for Regional Surveillance
Mayura Kathir - March 17, 2026
Windows 11 25H2/24H2 Update Addresses Bluetooth Device Visibility Issues
Divya - March 17, 2026
Google Warns Ransomware Groups Shift to Data Theft as Profits Decline
Mayura Kathir - March 17, 2026
Microsoft Launches AI-Driven Troubleshooting for Purview Data Lifecycle Tools
Divya - March 17, 2026