CISA has added CVE-2026-21385 to the Known Exploited Vulnerabilities (KEV) catalogue, affecting Qualcomm and its multiple chipsets. The vulnerability is named Qualcomm Multiple Chipsets Memory Corruption Vulnerability and is described as a memory corruption issue arising when alignments are used for memory allocation.
Technical detail: The weakness is a memory corruption vulnerability affecting Qualcomm’s multiple chipsets. The available data do not specify the exact attack vector beyond the memory allocation alignment issue, but the CVSS score is 7.8 (HIGH). A patch is available, and guidance references a Qualcomm security bulletin with mitigations. Patch status: patch available. CISA notes and vendor advisories should be consulted for the exact mitigations and affected hardware.
Patch/advisory URL: https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html. NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-21385.
Exploitation and risk: Active exploitation has been confirmed, which is why this CVE is listed in KEV. Known ransomware campaign use is unknown. The remediation deadline is 2026-03-24. Organisations should treat this as a currently exploited vulnerability requiring prompt action where affected hardware is in use.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Directly affected: Federal Civilian Executive Branch (FCEB) agencies. All organisations should review their exposure and apply the appropriate mitigations or mitigated configurations where available.
Final sentence: For full details, see the NVD entry and the CISA KEV catalogue: https://nvd.nist.gov/vuln/detail/CVE-2026-21385 and https://www.cisa.gov/known-exploited-vulnerabilities-catalog.