The CVE Lifecycle: Reserved, Published, Modified
Last reviewed June 2, 2026
A CVE record moves through a small set of states. It starts as Reserved when a CNA allocates an ID but withholds details, becomes Published when the vulnerability is disclosed with a description and references, and is Modified whenever the record is later updated. A record can also be Rejected if it turns out to be invalid or a duplicate.
The states of a CVE
A CVE record has a status that tells you where it is in its life. The main states are Reserved, Published, and Rejected, and Published records continue to be updated over time.
- Reserved -- a CNA has allocated the ID but no details are public yet.
- Published -- the vulnerability is disclosed, with a description, affected products, and references.
- Modified -- a published record has been updated with new or corrected information.
- Rejected -- the ID was withdrawn, typically because it was a duplicate or not a real vulnerability.
Reserved: the ID exists, the details do not
When a researcher or vendor needs an identifier before public disclosure, a CNA reserves a CVE ID. At this stage the ID is valid and citable, but the record carries no description -- it is a placeholder during coordinated disclosure.
This is why you sometimes see a CVE ID referenced in an advisory before any details are available: the ID was reserved ahead of the public Published state.
Published: the vulnerability is disclosed
When disclosure happens, the CNA populates the record and it becomes Published. At this point the record includes a description, the affected products, and references to advisories and patches. Downstream systems like the NVD and CISA's Vulnrichment can now begin enriching it.
Publication is the moment the vulnerability becomes part of the public knowledge base that scanners, feeds, and the KEV catalog draw on.
Modified and Rejected
A CVE is rarely frozen at publication. As new affected versions surface, patches ship, or descriptions are corrected, the record is updated -- reflected in its Modified date. Tracking the modified date matters because enrichment data such as CVSS scores and CPE lists can change after first publication.
Occasionally a CVE is Rejected. This happens when an ID was assigned in error, the issue is a duplicate of another CVE, or further analysis shows there is no real vulnerability. The ID is never reused; it stays withdrawn so old references do not point at a recycled flaw.
Keep exploring
- What is a CVE?The record that moves through these states.
- CVE ID format explainedWhat the year and sequence number mean.
- What is a CNA?Who reserves and publishes records.
- What is the NVD?Where published records get enriched.
- What is the CISA KEV catalog?The catalog that draws on published CVEs.
- Zero-day vs N-dayWhether a patch exists at the time of exploitation.
Frequently asked questions
- What does Reserved mean for a CVE?
- Reserved means a CNA has allocated the CVE ID but has not yet published any details. The ID is valid but the record is a placeholder pending disclosure.
- What is the difference between published and modified dates?
- The published date is when the record was first disclosed; the modified date is the most recent time the record was updated with new or corrected information.
- Can a CVE ID be reused after rejection?
- No. A rejected CVE ID is permanently withdrawn and never reassigned, so historical references remain unambiguous.
- Why does a CVE show up before any details are available?
- Because the ID was reserved during coordinated disclosure. The Reserved state lets people cite the identifier before the Published details exist.
