Skip to content

How to Read a CVSS Score: What 9.8 Actually Means (and What It Doesn’t)

Every vulnerability advisory leads with a number — "CVSS 9.8 Critical" — and most readers stop there. That number compresses eight specific judgments into one digit-and-a-half, and knowing how to unpack it changes how you triage: two 7.5s can demand completely different responses. Here is how to read a CVSS score like the committee that wrote it. To score something yourself, the CVSS calculator runs the official formulas as you click.

Open the CVSS Calculator →

The vector string is the real score

The number is a summary; the vector is the assessment. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reads as: reachable from the network, easy to exploit reliably, no privileges or user interaction needed, and a total loss of confidentiality, integrity and availability — the anatomy of a pre-auth remote code execution, and the reason "9.8" became security shorthand for drop-everything. When two vulnerabilities share a number, the vectors tell you how differently they got there: a 7.5 that is AV:N/…/C:H/I:N/A:N (remote total data leak, think Heartbleed) is a different animal from a 7.5 denial-of-service. Read vectors, not headlines.

The eight base judgments, in plain terms

Four metrics describe exploitability: how the attacker reaches the flaw (Attack Vector), whether success is reliable or depends on conditions outside their control (Attack Complexity), what access they must already have (Privileges Required), and whether a victim has to participate (User Interaction). One metric — Scope — asks whether the compromise escapes the vulnerable component's own security boundary (sandbox escapes, VM escapes, XSS running in other users' sessions). The last three rate the damage to confidentiality, integrity and availability, each None/Low/High. The formula then rewards breadth: full C+I+A with easy remote exploitation lands in the 9.8–10.0 range, while the same impact behind local access and high privileges drops several points.

Severity is not risk

CVSS base scores rate the vulnerability in the abstract — the same bug scores the same everywhere, by design. Risk is that severity multiplied by your exposure: is the vulnerable service internet-facing, what data sits behind it, what compensating controls exist, is exploitation actually happening in the wild? A 9.8 in a library you compile but never feed attacker input may rank below a 6.1 XSS on your login page. This is why mature triage pairs CVSS with exploit-activity signals (KEV lists, EPSS probabilities) and asset context rather than sorting the patch queue by score alone. CVSS answers "how bad is this bug?"; only you can answer "how bad is it here?"

Temporal and environmental: the forgotten two-thirds

The base score assumes worst-case: exploit code exists and no fix does. The temporal metrics adjust for reality — no public exploit (E:U) and an official patch (RL:O) can pull a 9.8 down toward 8.1, and watching that number climb back up as proof-of-concept code appears is exactly the signal a triage queue wants. Environmental metrics go further and re-weight the score for your deployment (does confidentiality matter most for this asset? is the vulnerable component even reachable?). Almost everyone quotes bare base scores anyway — which is fine for advisories, but if you republish scores internally, the environmental adjustment is where the score starts describing your systems.

Where scores go wrong

Score inflation has two classic engines: rating partial information leaks as C:H ("it exposed something") and marking Attack Complexity Low because the researcher's lab exploit worked ("it took skill, but nothing was left to chance" is still AC:L — High is reserved for conditions the attacker cannot control). Deflation happens too, usually by scoring the component narrowly and ignoring a Scope change. The cure for both is the same: score the vector one honest metric at a time and let the number fall out, rather than deciding the number first and picking metrics to match. That is exactly the workflow the calculator enforces — and the shareable vector link means reviewers argue about specific judgments, not vibes.

Ready to try it? Open the CVSS Calculator →

Related guides