Which CVSS base metric sub-score category includes Confidentiality, Integrity, and Availability?

CVSS base scoring uses the CIA triad—Confidentiality, Integrity, and Availability—to quantify the impact a vulnerability has on a system. The sub-score that captures this whole effect is the Impact category. It evaluates how much of those three properties would be compromised, ranging from partial to complete loss of confidentiality, integrity, or availability. This is separate from other base sub-scores: Exploitability looks at how easy it is to exploit the vulnerability (access vector, complexity, privileges, user interaction), Temporal considers how factors like exploit maturity or remediation change over time, and Environmental adjusts the score for a specific environment (such as potential collateral damage or target distribution). So, when the question asks which sub-score category includes Confidentiality, Integrity, and Availability, it’s the Impact category because that’s precisely what measures the effect on the CIA properties.