Confusing Value with Enumeration: Studying the Use of CVEs in Academia

Moritz Schloegel, Daniel Klischies, Simon Koch, David Klein, Lukas Gerlach, Malte Wessels, Leon Trampert, Martin Johns, Mathy Vanhoef, Michael Schwarz, Thorsten Holz, Jo Van Bulck

Common Vulnerabilities and Exposures (CVE) IDs serve as unique identifiers for security-relevant bugs, facilitating clear communication and tracking of affected products. Originally intended solely for identification, the CVE system has faced increasing criticism due to the misconception that assigning a CVE implies a serious security issue. Notably, academic works on security vulnerabilities often claim CVEs, presumably to demonstrate the practical impact of their methods. We systematically study the use of CVEs in academic papers to better understand the correlation of academic CVEs with real-world implications. To this end, we present the trends we identified through quantitative analysis, qualitative review of published papers, and a user survey. We observe a clear shift towards more frequent use of CVEs in academic papers over the last 25 years, especially in certain research areas. Our qualitative review of 1,803 CVEs claimed in papers published in the past five years reveals that 34% have not been publicly confirmed or were disputed by the maintainers of the affected software, challenging the notion of real-world effects. Our survey of 103 academic reviewers and authors reveals widespread misconceptions about the CVE system and an explicit preference for reporting CVE numbers, but without indicating any implicit bias in the review process. We advise caution on using CVEs as a proxy for real-world impact and provide actionable recommendations for the academic security community and practitioners.