April 2026 CNA Anomalous Behavior

Top CNAs by April activity

Confirmed anomalies — what each CNA actually did

1. Patchstack — three episodes of one story (CVSS pipeline incident)

2026-04-01 (THE wipeout, not Apr 8): 7,286 CVEs lost their CVSS metric blocks in one bulk update. Specific field removes:

• containers/cna/metrics/0/cvssV3_1/{baseScore,baseSeverity,attackVector,attackComplexity,privilegesRequired,userInteraction,confidentialityImpact,integrityImpact,availabilityImpact} — 7,286 each
• containers/cna/source — 7,287 removes (entire metric source block also dropped)

2026-04-23 (restoration): 8,389 CVEs got CVSS added back. Of 7,122 paired against pre-wipe values: 99.5% identical, 0.5% genuinely rescored. (Already analyzed in detail.)

2026-04-27/28 (ongoing): ~15K more CVEs being touched. The pattern (CNA-side adds, ADP-side removes) suggests they are now also restoring/cleaning the CISA-ADP layer that was orphaned during the wipe.

2. Wordfence — methodology change on April 8

8,844 CVEs touched on a single day. Replace-dominant: 8,753 replaces on containers/cna/affected/0, plus reference and description rewrites. Pattern is consistent with rebuilding the affected-product representation (e.g., switching schema for plugin/version ranges) — not rescoring.

3. VulDB — CVSS 4.0 / Threat-metric rollout

774 CVEs, 42,771 pure adds, 4 removes. Fields added are not CVSS 3.1 base fields but the CVSS 4.0 / Temporal-Threat layer:

• reportConfidence, remediationLevel, exploitCodeMaturity, exploitMaturity, exploitability
• Plus base-vector fields (attackVector, attackComplexity, etc.) — likely new CVSS 4.0 vectors alongside existing CVSS 3.1

This is enrichment, not correction — VulDB is publishing the threat-environmental layer that most CNAs ignore.

4. Apple — bulk product/description rewrite

1,279 CVEs touched (Apple's normal cadence is dozens, not thousands). Operations dominated by replace on descriptions/0, affected/0..3, and references/0..3. This is a bulk re-publication of historical Apple advisories, possibly tied to a CNA tooling migration. Not new CVEs, no severity changes — purely structural.

Inferred causes (in order of confidence)

1. Patchstack pipeline incident, April 1 (high confidence) — The wipeout was a single-day bulk drop of 7,286 CVSS metric blocks. The shape (atomic removal of full metric + source nodes, leaving descriptions/references intact) is a bug signature: a publisher migration or schema-validation regression that nuked metric sub-trees on republish.
2. Patchstack restoration, April 23 (high confidence) — 22 days later, 99.5% identical re-add. They had a clean backup. Almost certainly a coordinated rollback after the bug was fixed.
3. Patchstack ADP cleanup, April 27–28 (medium confidence, ongoing) — Heavy CISA-ADP remove events on Apr 27–28 indicate the orphaned CISA enrichment layer is now being torn down and republished now that the CNA-layer is stable.
4. Wordfence schema change, April 8 (medium confidence) — 8,800-CVE replace-only burst on a single day with no severity moves. Looks like a tooling/schema upgrade, not a content change.
5. VulDB CVSS 4.0 push, April-wide (high confidence) — Pure-add pattern across thousands of CVEs adding threat-layer metric fields. This is a deliberate enrichment rollout, not an incident.
6. Apple advisory re-publication (medium confidence) — Structural rewrites without severity changes; classic CNA-tool migration.

4