CVSS 4.0 vs 3.1: what changed and why
Last reviewed June 2, 2026
CVSS v4.0, released in 2023, refines v3.1 (released in 2019) rather than replacing the scale. The biggest changes are a new Attack Requirements (AT) metric, impact split into vulnerable-system (VC/VI/VA) and subsequent-system (SC/SI/SA) metrics, an expanded User Interaction metric (None/Passive/Active), and a new MacroVector-based scoring model. The 0.0 to 10.0 severity bands stay the same.
The short version
CVSS v3.1 has been the most widely published version since 2019 and remains common across vulnerability databases. CVSS v4.0, published by FIRST in 2023, keeps the familiar 0.0 to 10.0 scale and the same five severity bands, but it changes how the score is built to address long-standing criticisms about granularity and overuse of the Base score alone.
Key differences side by side
| Aspect | CVSS 3.1 (2019) | CVSS 4.0 (2023) |
|---|---|---|
| Released | June 2019 | November 2023 |
| Severity bands | None / Low / Medium / High / Critical | Same five bands, 0.0-10.0 |
| Attack Requirements (AT) | Not present | New metric for conditions an attacker needs |
| Impact metrics | C / I / A (single system) | Split: VC/VI/VA (vulnerable) and SC/SI/SA (subsequent) |
| Scope metric | S (Unchanged / Changed) | Removed; replaced by subsequent-system impact |
| User Interaction | None / Required | None / Passive / Active |
| Second metric group | Temporal (3 metrics) | Threat (Exploit Maturity only) |
| Scoring model | Formula-based | MacroVector lookup model |
| Supplemental metrics | Not present | Optional Safety, Automatable, Recovery, and more |
From Scope to subsequent-system impact
The most conceptually significant change is replacing v3.1's Scope metric. In v3.1, Scope flagged whether a flaw could affect resources beyond its own security authority, but it was widely misunderstood. CVSS v4.0 instead models impact on two systems directly: the vulnerable system (VC, VI, VA) and any subsequent system the attack reaches (SC, SI, SA). This makes blast radius explicit rather than a single binary flag.
A new scoring engine
CVSS v4.0 replaces the v3.1 arithmetic formula with a MacroVector model. Metric combinations are grouped into equivalence classes, and scores come from a curated lookup informed by expert scoring rather than a single equation. The goal is smoother, more defensible scores and better differentiation between vectors that v3.1 collapsed to the same number.
Which version should you use?
Use v4.0 when the source provides it, since it is the current standard and captures threat and environmental context more cleanly. In practice you will still encounter v3.1 scores everywhere because most historical data and many feeds remain on v3.1. Tooling should read both, and you should never compare a v3.1 number directly against a v4.0 number as if they were identical measurements.
Keep exploring
Frequently asked questions
- Is CVSS 4.0 better than 3.1?
- CVSS 4.0 is more granular and models blast radius and threat context better, addressing common v3.1 criticisms. It is the current standard, but v3.1 remains the most widely published, so both are in active use.
- Did CVSS 4.0 change the severity ranges?
- No. CVSS 4.0 keeps the same 0.0 to 10.0 scale and the same five bands: None, Low, Medium, High, and Critical.
- What happened to the Scope metric in CVSS 4.0?
- Scope was removed. Its intent is now captured by separate subsequent-system impact metrics (SC, SI, SA) alongside the vulnerable-system impact metrics (VC, VI, VA).
- What is the Attack Requirements metric in CVSS 4.0?
- Attack Requirements (AT) is a new Base metric describing prerequisite deployment or execution conditions an attacker needs, separating those from Attack Complexity.
- Can I compare a CVSS 3.1 score directly to a 4.0 score?
- Not reliably. The versions use different metrics and a different scoring model, so the same flaw can produce different numbers. Treat them as separate measurements.
