The Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — one affecting multiple Qualcomm chipsets and another targeting Broadcom’s VMware Aria Operations platform. Both flaws have been confirmed as actively exploited in the wild, with federal agencies required to remediate by March 24, 2026. Organizations running affected Android devices or VMware Aria deployments should treat patching as an immediate priority.
CVE-2026-21385 — Qualcomm Multiple Chipsets Memory Corruption
Multiple Qualcomm chipsets contain a memory corruption vulnerability related to improper alignment handling during memory allocation (CWE-190). This is an integer overflow affecting the graphics subsystem on many Android devices.To remediate, organizations should apply mitigations per vendor instructions — specifically, Android devices need to reach patch level 2026-03-05 via the March Android Security Bulletin. The due date for federal agencies is March 24, 2026.
CVE-2026-22719 — Broadcom VMware Aria Operations Command Injection
The flaw was originally disclosed and patched on February 24, 2026, as part of VMware’s VMSA-2026-0001 advisory, rated Important with a CVSS score of 8.1. An unauthenticated attacker can exploit this issue to execute arbitrary commands, potentially leading to remote code execution, but only while support-assisted product migration is in progress. Broadcom says it is aware of reports of potential exploitation in the wild but cannot independently confirm their validity.
For organizations that can’t immediately patch, Broadcom provided a temporary workaround — a shell script named “aria-ops-rce-workaround.sh” that must be executed as root on each Aria Operations appliance node, which disables the vulnerable components of the migration process. The federal remediation due date is also March 24, 2026.
Bottom line: If you have exposed, affected assets, patching should be treated as an incident response task, not backlog grooming. Both CVEs are confirmed as actively exploited in the wild, and private sector organizations — while not legally bound by BOD 22-01 — are strongly encouraged to prioritize remediation on the same timeline.
