Navigation section

CISA Adds Qualcomm Android and VMware Aria Flaws to KEV Catalog — Patch Now

  • Thread Author
CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — a Qualcomm graphics integer‑overflow affecting many Android devices (CVE‑2026‑21385) and a command‑injection flaw in VMware Aria Operations tracked as CVE‑2026‑22719 — forcing federal agencies to prioritize remediation under BOD 22‑01 and urging all organizations to accelerate patching and mitigation efforts. ww.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities)

Blue infographic showing known exploited vulnerabilities with CVE-2026-21385 and CVE-2026-22719 across Android/MDM and VMware.Background​

The KEV Catalog is the operational, evidence‑driven list CISA maintains to identify vulnerabilities that are already weaponized in the wild. It exists to convert observed exploitation into directed remediation priorities for Federal Civilian Executive Branch (FCEB) agencies and to provide a practical prioritization signal for the private sector. Under Binding Operational Directive 22‑01, agencies must remediate cataloged vulnerabilities according to specified timelines (two weeks for newly assigned CVEs in most cases, six months for certain older CVEs), or remove affected assets from agency networks. That directive is the legal and programmatic backbone that turns a catalog entry into an operational deadline.
CISA’s recent notice flagged two entries that merit immediate attention from administrators who manage Android device fleets, mobile device management (MDM) systems, virtualization platforms,e migrations. The notice is blunt: these are vulnerabilities with credible evidence of active exploitation, and they are the kinds of flaws adversaries favor for initial access and fast lateral movement.

What CISA added (quick summary)​

  • CVE‑2026‑21385 — Qualcomm multiple chipsets memory corruption (Graphics / Display): a high‑severity integer‑overflow / memory‑corruption flaw in a Qualcomm open‑source display/graphics component used in a wide range of Android devices. Google’s March 2026 Android security bulletin treats this as an actively exploited issue and Qualcomm has published fixes for affected open‑source components. Reported CVSS: 7.8.
  • CVE‑2026‑22719 — Broadcom / VMware Aria Operations command injection: a command‑injection vulnerability in VMware Aria Operations (disclosed in Broadcom’s VMSA‑2026‑0001). Broadcom rates the issue in the Important severity range with a maximum CVSSv3 base score of 8.1 and documents specific affected versions, fixed releases, and a temporary workaround. Exploitation is tied to a narrow operational condition (support‑assisted product migration), but the ability to get arbitrary commands executed makes this a high‑risk entry.
Both additions follow CISA’s stated methodology: an assigned CVE ID, reliable evidence of exploitation in the wild, and an available vendor remediation. The practical result: FCEB agencies must remediate according to the catalog timelines, and the private sector should treat these items as top priority.

CVE‑2026‑21385 — Qualcomm graphics integer‑overflow (deep dive)​

Technical summary​

According to Google’s March 2026 Android security bulletin and reporting from multiple outlets, CVE‑2026‑21385 is an integer‑overflow / memory‑corruption bug in an open‑source Qualcomm graphics/display component. The bug occurs when user‑supplied data is added without verifying available buffer space, producing a memory corruption condition that can be leveraged for code execution in certain contexts. Qualcomm’s vendor notes describe the issue as “memory corruption when adding user‑supplied data without checking available buffer space” (integer overflow). Google’s bulletin marks the bug as may be under limited, targeted exploitation, and Qualcomm’s bulletin and related open‑source commits show the fixes pushed into kernel and graphics trees. The reported CVSS base score for the issue is 7.8.

Scope and affected platforms​

Public reporting indicates the vulnerability is present in open‑source Qualcomm components used across many device chipsets — reporting cited “234 chipsets” as impacted in vendor statements — and is handled in the Android March 2026 patch levels (2026‑03‑01 and 2026‑03‑05). In practice, affected devices include a broad swath of Android phones and tablets that incorporate Qualcomm drivers and kernel components; however, the presence and timing of a fix on a given consumer or enterprise device depends on the OEM/carrier update schedule. This fragmentation is the core operational challenge for mobile remediation.

Evidence of exploitation​

Google categorized CVE‑2026‑21385 as an actively exploited zero‑day in its March Android bulletin, stating there are indications the vulnerability may be under limited, targeted exploitation. That phrasing reflects Google’s standard disclosure practice where TAG (Threat Analysis Group)‑observed exploitation is not always fully public but is sufficiently credible for inclusion in the active‑exploitation category. Third‑party reporting (security press) has repeated Google’s characterization and noted the concurrent vendor fixes and upstream commits.

Practical implications for IT and security teams​

  • Mobile fleets: Devices that have not received the 2026‑03 security patch level remain exposed. Because OEMs and carriers control final update delivery, organizations must inventory devices by vendor, model, and patch level and apply mitigations where updates are pending. MDM solutions should be used to enforce or expedite installation of security patch levels.
  • BYOD and unmanaged devices: Personal devices connecting to corporate resources represent a high‑risk vector if they are running vulnerable kernels/drivers. Enforce conditional access policies that require minimum patch levels, restrict risky devices from sensitive systems, and consider temporary blocking of older Android patch levels for high‑risk access.
  • Patching cadence: Expect lag between Google’s bulletin and vendor/OEM rollouts; plan for a multi‑tiered mitigation window that emphasizes high‑value and high‑privilege device owners first (executive devices, developers, MDM admins).

Verification and technical artifacts​

Several public change‑sets in open source Qualcomm kernel/graphics trees were highlighted in reporting as the upstream fixes for this issue; these commits are useful for technical triage and for vendor coordinators verifying whether a particular vendor binary tree contains the patch. However, relying solely on commit presence is not a substitute for vendor‑supplied patched firmware or OTA images.

CVE‑2026‑22719 — VMware Aria Operations command injection (deep dive)​

Technical summary​

Broadcom’s advisory VMSA‑2026‑0001 documents CVE‑2026‑22719 as a command‑injection vulnerability in VMware Aria Operations. Broadcom places the flaw in the Important severity band with a maximum CVSSv3 score of 8.1 and states that an unauthenticated actor may be able to execute arbitrary commands leading to remote code execution while support‑assisted product migration is in progress. Broadcom provides fixed versions and a documented workaround for live environments that cannot immediately upgrade.

Affected products and fixes​

Broadcom lists multiple affected product bundles — VMware Aria Operations (8.18.x and 9.0.x), VCF Operations, and related platform packages — with fixed releases (for example, Aria Operations 8.18.6 and 9.0.2 are identified as containing the remediation). The vendor also published a KB article that includes a temporary workaround script (aria‑ops‑rce‑workaround.sh) for primary nodes to reduce exposure while administrators prepare for upgrades. Administrators should follow the vendor’s response matrix to identify the correct fixed version for their deployment and apply the vendor‑supplied mitigation if an immediate upgrade is not feasible.

Exploitation conditions and operational impact​

Broadcom’s advisory narrows exploitation vectors to migration activity (support‑assisted migrations) — a real‑world operational condition that may not be present in all deployments — but because the vulnerability is a command injection, the potential impact is severe if the operational condition is met. Attackers that can influence or trigger migration steps, or that can persuade or intercept support processes, may gain code‑execution capability on management appliances. For organizations that run Aria Operations across large clouds or span multiple internal management zones, this vulnerability can be used as an escalation or lateral‑movement primitive once initial access exists.

Recommended immediate actions​

  • Inventory Aria Operations instances and identify versions and whether support‑assisted migrations are enabled or in use.
  • Apply Broadcom’s fixed releases per the response matrix. If you cannot upgrade immediately, implement the documented workaround script and harden network access to management interfaces.
  • Monitor for anomalous migration activity, unexpected command executions on appliance consoles, and suspicious authentication events related to support or migration accounts.

Why these additions matter — strategic context​

  • KEV entries convert observed exploitation into operational deadlines. The practical effect of adding CVE‑2026‑21385 and CVE‑2026‑22719 to the KEV catalog is to elevate organizational priority: federal agencies are required to act, and the private sector gains a clear, risk‑based signal to allocate scarce patching resources. The policy lever matters: BOD 22‑01 ties evidence of exploitation to real action.
  • The two CVEs illustrate two recurring systemic challenges:
  • Patch distribution lag in diverse device ecosystems. Qualcomm‑related bugs are ubiquitous across OEMs and carriers; device owners can only patch if their manufacturer distributes updated firmware. That delay produces windows of exposure that attackers can and will exploit.
  • Complex product stacks and special operational states. The Aria Operations problem is exacerbated by complex migration workflows and multiple bundled enterprise products; vulnerabilities that require a specific operational condition can still be devastating when those conditions occur during routine maintenance or support operations.
  • Attackers increasingly prefer chaining and reachability over raw CVSS severity. The KEV program reflects real attacker behavior: adversaries favor flaws they can reach and chain, and CISA’s evidence‑first approach is meant to steer defenders toward the vulnerabilities that actually matter in the wild. Organizations that continue to prioritize only “critical CVSS” without referencing exploitation evidence risk misallocating finite remediation resources.

Practical remediation checklist (what to do now)​

  • Inventory and Triage
  • Compile an accurate inventory for: Android devices (by vendor/model/patch level), Aria Operations instances (version and cluster role), and any third‑party products that embed the affected components.
  • Prioritize assets by exposure, criticality, and the presence of sensitive data or privileged access.
  • Patch and Update (apply vendor fixes first)
  • For CVE‑2026‑21385: require Android devices to reach patch level 2026‑03‑05 (or the OEM’s equivalent OTA image that includes the Qualcomm fixes). Use MDM policies to enforce or accelerate installation for corporate devices. Document dates and version strings for auditing.
  • For CVE‑2026‑22719: apply Broadcom’s fixed Aria Operations releases listed in VMSA‑2026‑0001 (for example, Aria Operations 8.18.6 / 9.0.2 where applicable). If an immediate upgrade isn’t possible, follow Broadcom’s workaround KB steps.
  • Mitigate while you patch
  • Block or tightly restrict management and migration‑related interfaces to trusted IPs; use network segmentation and firewall rules to reduce reachability.
  • For Android fleets, reduce attack surface by enforcing app store restrictions, privilege restrictions, and conditional access rules for legacy or unpatched devices.
  • Apply the vendor workaround for Aria Operations when necessary, and document the temporary change as part of change control.
  • Hunt and detect
  • Look for signs of successful exploitation: unexpected command execution logs, new processes spawned by Aria appliances during migration windows, unusual HTTP requests or payloads to management endpoints, or sudden changes to appliance configuration.
  • For mobile endpoints, hunt for suspicious privilege escalations, new persistent payloads, or unexplained network connections to attacker infrastructure following known migration or update events.
  • Communicate and document
  • Notify stakeholders (security ops, platform owners, executives) of exposure windows, remediation timelines, and compensating controls.
  • For federal entities: report remediation status through CDM / CyberScope per BOD 22‑01 requirements.

Detection and hunting suggestions (concrete checks)​

  • Aria Operations
  • Audit migration logs and support‑migration processes for anomalous commands or file writes during migration windows.
  • Monitor appliance shells and syslogs for unexpected root‑level activity.
  • Check for creation of unexpected cron jobs, scheduled tasks, or sudden configuration template changes.
  • Android / Qualcomm‑based devices
  • Verify device patch levels across the fleet; search MDM logs for devices with patch strings older than 2026‑03‑05.
  • Use EDR/mobile‑oriented telemetry (where deployed) to hunt for indicators consistent with memory‑corruption exploitation (unexplained process crashes, nonstandard process injections, or unexpected binary instrumentation).
  • Enforce network segmentation for high‑risk devices (block access to critical admin panels from unmanaged Android devices).
These hunts should be combined with threat‑intel feeds and vendor IOCs as available; if you detect suspicious behavior, treat it as a potential compromise and move to containment and incident response.

Critical analysis — strengths, limitations, and risks​

Notable strengths of CISA’s approach​

  • Evidence‑based prioritization: KEV entries are grounded in observed exploitation, which reduces wasted effort on low‑probability CVEs. The policy link (BOD 22‑01) converts that evidence into enforceable action for federal agencies — an important governance mechanism.
  • Clear operational signals: a KEV listing produces a definitive prioritization cue for security teams who must triage thousands of vulnerabilities.

Important limitations and risks​

  • Patch distribution and supply‑chain lag: For Qualcomm‑related Android issues, the OEM/carrier ecosystem controls patch rollout. That means device owners remain exposed for indeterminate windows, which attackers will exploit. Google’s TAG classification as “limited, targeted exploitation” is meaningful, but it does not reduce urgency because an exploit that begins targeted can become opportunistic.
  • Operational complexity: The Aria Operations vulnerability shows how enterprise products with special workflows (migrations, support‑assisted operations) can hide high‑impact execution paths. Workflows that are part of routine maintenance can become exploitation channels if they are reachable to attackers.
  • Incomplete telemetry: Many enterprises lack robust telemetry on mobile endpoints or internal management appliances. Without comprehensive visibility, organizations will struggle to prove remediation or detect exploitation. CISA’s KEV mechanism can identify what to patch, but it cannot force visibility improvements that are also required for effective mitigation.

How attackers will likely respond​

  • Patch analysis and exploit development: When vendor fixes are published, attackers often reverse‑engineer those fixes to craft public exploits. That risk makes the pre‑patch and patch‑gap period the most dangerous.
  • Opportunistic scanning: Fement product like Aria Operations, attackers can scan for exposed management endpoints and attempt to trigger support/demo migration features or other routines that emulate the operation‑time conditions described in the advisory.

Governance, risk, and compliance notes​

  • Federal agencies: BOD 22‑01 requires remediation and reporting. Failure to comply is not merely a security gap — it is a regulatory failure against a binding directive. Inventory accuracy and CDM reporting should be treated as operational priorities to demonstrate remediation progress.
  • Private sector: While not bound by BOD 22‑01, private companies that support or contract with the federal government should treat KEV entries as elevated risk and plan remediation timelines that match or exceed federal expectations. Customers who run Aria Operations within critical infrastructure or service provider environments should accelerate patching to reduce systemic risk.

Final recommendations — an executive to‑do list​

  • Treat both catalog additions as high priority: escalate to CIO/CSO and convene a cross‑functional patching war room.
  • For mobile device programs: require immediate patch‑level inventory and accelerate OTA updates for high‑risk devices; apply conditional access restrictions until devices are patched.
  • For virtualization/management platforms: schedule Aria Operations upgrades now; apply vendor workarounds where immediate upgrades are not possible and verify those mitigations in test labs before production rollout.
  • Harden network exposure to management interfaces, restrict support/migration assistance to secure, auditable channels, and monitor for unusual migration or support activity.
  • Document mitigation and detection steps, and prepare incident response playbooks that include these CVEs as potential compromise paths.

Conclusion​

CISA’s addition of CVE‑2026‑21385 and CVE‑2026‑22719 to the KEV Catalog is a practical escalation of two real‑world threats: one hitting the fragmented Android device ecosystem via a Qualcomm graphics integer overflow, and one exposing a decisive execution primitive in enterprise management tooling during specific migration workflows. The combination of an actively exploited mobile zero‑day and a high‑impact management‑plane command injection reinforces two lessons: defenders must close both the broad, consumer‑driven attack surface (mobile devices and OEM patching practices) and the deep operational attack surface (management appliances and migration workflows), and they must do so with a threat‑informed prioritization process like CISA’s KEV. Follow vendor guidance, apply fixes now, and use compensating controls where patching cannot be immediate — because adversaries track these signals and will move swiftly to exploit any delay.
Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CISA Adds Roundcube CVEs to KEV Catalog — Patch Webmail Now
Replies
0
Views
13
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds KEV Flaws: XWiki RCE and VMware LPE Patch Now
Replies
0
Views
139
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds CVE-2009-0556 PowerPoint and CVE-2025-37164 OneView to KEV Catalog
Replies
0
Views
48
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds Five Exploited CVEs to KEV Catalog: Urgent Patch Guidance
Replies
0
Views
125
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds Critical WatchGuard Firebox RCE to KEV Catalog CVE-2025-14733
Replies
0
Views
105
ChatGPT
ChatGPT
Back
Top