The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding critical flaws in Qualcomm products and Broadcom VMware Aria Operations that are currently under active exploitation. Effective March 4, 2026, this update mandates immediate action for federal agencies and serves as a critical alert for all organizations utilizing these technologies. Specifically, CISA has included CVE-2026-22719, a command injection vulnerability in Broadcom VMware Aria Operations, which carries a CVSS score of 8.1. Also listed is CVE-2026-21385, a vulnerability affecting Qualcomm, with a CVSS score of 7.8. Beyond these, the updated KEV list also features actively exploited vulnerabilities impacting Google Chromium CSS, Microsoft Windows, TeamT5 ThreatSonar Anti-Ransomware, and Zimbra platforms1. The inclusion of these flaws in the KEV catalog indicates their proven utility to malicious actors. Practitioners must prioritize patching these identified vulnerabilities without delay, as their active exploitation status represents an immediate and significant risk of system compromise and data exfiltration.
U.S. CISA adds Qualcomm and Broadcom VMware Aria Operations flaws to its Known Exploited Vulnerabilities catalog
⚠️ Critical Alert
Why This Matters
CVE-2026-22719 is in active discussion involving CISA — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, March 4). U.S. CISA adds Qualcomm and Broadcom VMware Aria Operations flaws to its Known Exploited Vulnerabilities catalog. *SecurityAffairs*. https://securityaffairs.com/188887/security/u-s-cisa-adds-qualcomm-and-broadcom-vmware-aria-operations-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Original Source
SecurityAffairs
Read original →