The year 2024 marked a significant milestone in cybersecurity, featuring an extraordinary surge in Common Vulnerabilities and Exposures (CVE) data.
With the release of over 40,000 CVEs, the industry has seen a dramatic increase of more than 38% compared to the 28,818 CVEs published in 2023.
CVEs By The Numbers
The statistics from 2024 reveal an average of 108 CVEs published daily. May stood out as the month with the highest activity, recording a total of 5,010 CVEs—12.5% of the yearly total.
Notably, Tuesdays emerged as the leading days for publishing, accounting for 9,706 CVEs, or 24.3% of the year’s releases. The peak day was May 3, when 824 CVEs were published in just 24 hours.
Monthly Breakdown of CVEs
| Month | CVEs | Percentage |
|---|---|---|
| January | 2593 | 6.5 |
| February | 2778 | 6.9 |
| March | 3310 | 8.3 |
| April | 3622 | 9.1 |
| May | 5010 | 12.5 |
| June | 3080 | 7.7 |
| July | 3124 | 7.8 |
| August | 2900 | 7.2 |
| September | 2522 | 6.3 |
| October | 3573 | 8.9 |
| November | 4058 | 10.1 |
| December | 3439 | 8.6 |
Weekly Breakdown of CVEs
| Day | CVEs | Percentage |
|---|---|---|
| Monday | 6449 | 16.1 |
| Tuesday | 9706 | 24.3 |
| Wednesday | 7143 | 17.9 |
| Thursday | 6321 | 15.8 |
| Friday | 7100 | 17.7 |
| Saturday | 1858 | 4.6 |
| Sunday | 1432 | 3.6 |
Top CVE Publishing Days
The most active days for CVE publications included:
| Date | CVEs |
|---|---|
| May 3, 2024 | 845 |
| May 14, 2024 | 824 |
| July 9, 2024 | 471 |
| May 21, 2024 | 436 |
| October 21, 2024 | 436 |
| November 22, 2024 | 385 |
| April 9, 2024 | 384 |
| November 19, 2024 | 383 |
| December 12, 2024 | 341 |
| November 12, 2024 | 333 |
CVE Growth Analysis
This year marks the seventh consecutive year of record-high CVE publications since 2017, with 40,009 CVEs released, an increase of 38.83% from the previous year.
Notably, 15.32% of all CVEs released to date occurred in 2024 alone.
The average CVSS (Common Vulnerability Scoring System) score for vulnerabilities in 2024 was 6.67.
A significant finding was the 231 vulnerabilities that achieved a perfect score of 10.0, while CVE-2024-2365 recorded the lowest published CVSS score of 1.6.
In 2024, a total of 19,807 distinct CPEs were recorded in CVEs. The most prevalent CPE was cpe:2.3:o:linux:linux_kernel::::::::*, which appeared 8,093 times.
The vulnerability CVE-2024-20433, associated with Cisco’s IOS Software, led with the highest number of unique vulnerable configurations at 2,434.
Role of CVE Numbering Authorities (CNAs)
There are currently 433 CNAs authorized to assign CVE IDs, with 350 having published at least one CVE this year. The top five CNAs include:
| CNA | Published CVEs | Overall Percentage |
|---|---|---|
| Patchstack | 4,566 | 11.41 |
| Kernel.org | 4,325 | 10.81 |
| Wordfence | 3,525 | 8.81 |
| VulDB | 2,936 | 7.34 |
| GitHub | 2,121 | 5.30 |
Together, these five CNAs accounted for 43.67% of all CVEs in 2024, primarily focusing on open-source projects and WordPress plugins.
Common Weakness Enumeration (CWE)
In 2024, 237 out of 940 CWEs were assigned to CVEs, with CWE-79 being the most frequent at 6,227 assignments (15.56%). The NVD categorized 6,292 CVEs as lacking CWE information.
A noteworthy 695 rejected CVEs were removed from this year’s dataset.
For ongoing insights and data visualization, interested parties can explore the GitHub repository featuring Jupyter notebooks related to this analysis.
CVE.ICU, an open-source project curated by the author, continues to track these data points in real-time, ensuring stakeholders remain informed on the evolving landscape of CVE data.
 data.){kind=link}