CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation, released on 20 May 2026.
The newly listed CVEs are CVE-2008-4250 (Microsoft Windows Buffer Overflow Vulnerability), CVE-2009-1537 (Microsoft DirectX NULL Byte Overwrite Vulnerability), CVE-2009-3459 (Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability), CVE-2010-0249 (Microsoft Internet Explorer Use-After-Free Vulnerability), CVE-2010-0806 (Microsoft Internet Explorer Use-After-Free
Vulnerability), CVE-2026-41091 (Microsoft Defender Elevation of Privilege Vulnerability), and CVE-2026-45498 (Microsoft Defender Denial of Service Vulnerability). These vulnerability types are noted as frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of CVEs that carry substantial risk for the federal network landscape, with agencies urged to remediate by the stated due dates; CISA nonetheless urges all organisations to prioritise timely remediation as part of vulnerability management.