How is a CVSS score calculated?
Last reviewed June 2, 2026
A CVSS v3.x Base score is built from two sub-scores. The Exploitability sub-score combines Attack Vector, Attack Complexity, Privileges Required, and User Interaction. The Impact sub-score combines the Confidentiality, Integrity, and Availability impacts. The Scope metric determines how the two are merged, and the result is rounded up to one decimal place on a 0.0 to 10.0 scale. If Impact is zero, the Base score is zero.
Two sub-scores feed the Base score
In CVSS v3.x, the Base score is not a single average. It is derived from two distinct sub-scores that answer different questions, then combined according to the Scope metric. The Exploitability sub-score measures how easy the vulnerability is to attack, and the Impact sub-score measures how much damage a successful attack causes.
Keeping these separate is deliberate. A flaw can be trivial to reach but cause little harm, or extremely damaging but hard to trigger, and the two sub-scores capture that difference before they are merged.
The Exploitability sub-score
The Exploitability sub-score is calculated from four Base metrics. Each metric maps to a numeric weight, and the weights are multiplied together with a constant. More exposed and easier-to-attack values push the sub-score higher.
- Attack Vector (AV): Network scores highest, then Adjacent, Local, and Physical.
- Attack Complexity (AC): Low scores higher than High, because High means extra conditions must be met.
- Privileges Required (PR): None scores highest; Low and High reduce the value, and the weight depends on Scope.
- User Interaction (UI): None scores higher than Required.
The Impact sub-score
The Impact sub-score is derived from the three impact metrics: Confidentiality (C), Integrity (I), and Availability (A). Each is None, Low, or High, with High contributing the most. The three combine into an intermediate value called ISC Base, which is then transformed differently depending on whether Scope is Unchanged or Changed.
A key rule follows from this: if all three impact metrics are None, the Impact sub-score is zero, and the entire Base score becomes 0.0 regardless of how exploitable the flaw is. There is no point scoring reachability for an attack that achieves nothing.
Scope decides how they combine
The Scope metric controls the final formula. When Scope is Unchanged, the impact stays within the vulnerable component's security authority, and the Base score is the rounded-up sum of Impact and Exploitability, capped at 10.0. When Scope is Changed, the exploited component can affect resources beyond its authority, so CVSS applies a larger multiplier and a higher cap (up to 10.0) to reflect the wider blast radius.
| Step | Inputs | Produces |
|---|---|---|
| 1. Exploitability | AV, AC, PR, UI | Exploitability sub-score |
| 2. Impact | C, I, A (via ISC Base) | Impact sub-score |
| 3. Combine | Impact + Exploitability, adjusted by Scope | Raw Base value |
| 4. Round | Round up to one decimal | Final Base score (0.0 to 10.0) |
Rounding: always up to one decimal
CVSS v3.1 specifies a precise rounding function, not ordinary rounding. The raw value is rounded up to the nearest tenth, so 5.51 becomes 5.6 and 5.50 stays 5.5. This roundup rule is why hand-computed scores sometimes differ from a calculator that rounds the conventional way. CVSS v4.0 abandons this arithmetic entirely in favor of a MacroVector lookup, but the v3.x roundup is what most published scores rely on.
Keep exploring
- CVSS calculatorBuild a vector and watch the sub-scores combine.
- Base, Temporal, and Environmental metricsThe metric groups that feed the calculation.
- How to read a CVSS vectorDecode the inputs to the formula.
- CVSS severity levelsWhat the final number maps to.
- What is CVSS?The standard behind the calculation.
- CVE vs CVSSIdentifier versus severity score.
Frequently asked questions
- What are the two sub-scores in a CVSS score?
- The Exploitability sub-score (from Attack Vector, Attack Complexity, Privileges Required, and User Interaction) and the Impact sub-score (from Confidentiality, Integrity, and Availability). Scope determines how they combine into the Base score.
- Why is the Base score zero when there is no impact?
- If Confidentiality, Integrity, and Availability impacts are all None, the Impact sub-score is zero, which forces the entire Base score to 0.0 no matter how exploitable the flaw is.
- How does CVSS round its scores?
- CVSS v3.1 rounds up to the nearest one-tenth using a defined roundup function. So 6.41 becomes 6.5 and 6.40 stays 6.4, which can differ from conventional rounding.
- Does the Scope metric change the calculation?
- Yes. Scope Unchanged and Scope Changed use different formulas. Changed scope applies a larger multiplier to reflect impact crossing a security boundary, producing a higher score for the same impact and exploitability.
- Is CVSS 4.0 calculated the same way?
- No. CVSS 4.0 replaces the v3.x arithmetic formula and roundup with a MacroVector lookup model, so the exploitability-plus-impact equation described here is specific to v3.x.
