Skip to content

CVE ID Format: What CVE-YYYY-NNNN Means

Last reviewed June 2, 2026

A CVE ID has three parts separated by hyphens: the literal prefix CVE, a four-digit year, and an arbitrary-length sequence number of at least four digits -- for example, CVE-2021-44228. The year is when the ID was reserved or assigned, not necessarily when the flaw was discovered or made public. Since 2014, the sequence number has had no upper limit, so it can grow well beyond four digits.

Anatomy of a CVE ID

Every CVE identifier follows the pattern CVE-YYYY-NNNN, where the three segments are joined by hyphens.

  • CVE -- a fixed prefix that marks the identifier as a CVE record.
  • YYYY -- a four-digit year, indicating when the ID was reserved or assigned.
  • NNNN -- a sequence number with a minimum of four digits and no fixed maximum length.

What the year actually means

The year in a CVE ID reflects when the identifier was reserved or assigned, not when the vulnerability was discovered, exploited, or publicly disclosed. A flaw found in late 2023 but reserved under a 2023 block keeps that year even if it is not published until 2024.

This is why you should never infer a vulnerability's age purely from its CVE year. Use the record's reserved, published, and modified dates for timing.

Why sequence numbers vary in length

Originally CVE IDs used exactly four sequence digits, which capped each year at 9,999 IDs. As disclosure volume grew, that limit became a problem.

Starting with IDs issued for 2014, the CVE Program removed the fixed length: the sequence number is now a minimum of four digits and can be arbitrarily long. So CVE-2014-0001 and CVE-2021-44228 are both valid, and an ID like CVE-2023-123456 is perfectly legitimate.

Parsing and validation tips

  • Always treat the sequence number as variable-length; do not assume four digits or pad to a fixed width.
  • Keep leading zeros: CVE-2014-0001 is not the same string as CVE-2014-1.
  • The year and sequence are independent -- two IDs can share a year but never the full identifier.
  • A reserved ID is syntactically valid even before any description is published.

Keep exploring

Frequently asked questions

How many digits does a CVE number have?
At least four. Since 2014 there is no upper limit, so the sequence portion can be five, six, or more digits long.
Does the year in a CVE ID mean the year it was disclosed?
Not necessarily. The year reflects when the ID was reserved or assigned, which can precede public disclosure by months.
Why do some CVE IDs have leading zeros?
Sequence numbers historically used four digits, so smaller numbers were zero-padded, as in CVE-2014-0001. The zeros are part of the identifier.
Is CVE-2021-44228 a valid CVE ID?
Yes. It is the Log4Shell vulnerability and a textbook example of a sequence number longer than four digits.