Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding two high-stakes flaws that are reportedly being weaponized in the wild. The update targets a widespread memory corruption issue in Qualcomm chipsets and a critical command injection vulnerability in VMware infrastructure.
Googleβs March 2026 Android Security Bulletin has sounded the alarm on CVE-2026-21385, a memory corruption vulnerability affecting a massive array of Qualcomm chipsets. While specific details of the attacks remain shielded, both Google and Qualcomm have confirmed that the flaw is currently facing “limited, targeted exploitation”.
Qualcommβs security advisory indicates the flaw is an integer overflow or wraparound residing within the Graphics subcomponent. Local attackers can exploit this overflow to trigger memory corruption, potentially leading to unauthorized code execution on the affected device.
In the enterprise sector, Broadcom is tracking CVE-2026-22719, an Important-rated command injection vulnerability (CVSS 8.1) in VMware Aria Operations. The flaw is particularly dangerous because it allows for unauthenticated remote code execution (RCE) during specific system operations.
A malicious, unauthenticated actor can execute arbitrary commands while support-assisted product migration is in progress. Broadcom has noted reports of potential exploitation in the wild, stating, “Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity.”
Due to the risk posed to federal networks, Federal Civilian Executive Branch (FCEB) agencies have been mandated to remediate this flaw by March 24, 2026.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
