THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities in Microsoft and Adobe products to its Known Exploited Vulnerabilities (KEV) catalog as of May 21, 2026. Notable vulnerabilities include:
1. **CVE-2008-4250** - Critical buffer overflow in Microsoft Windows (CVSS 9.8).
2. **CVE-2009-1537** - Critical NULL byte overwrite in Microsoft DirectX (CVSS 9.3).
3. **CVE-2009-3459** - Heap-based buffer overflow in Adobe Acrobat (CVSS 9.3).
4. **CVE-2010-0249** - Use-after-free vulnerability in Internet Explorer (CVSS 9.3).
5. **CVE-2010-0806** - Another use-after-free vulnerability in Internet Explorer (CVSS 9.3).
6. **CVE-2026-41091** - Elevation of privilege vulnerability in Microsoft Defender (CVSS 7.8).
7. **CVE-2026-45498** - Denial of service vulnerability in Microsoft Defender (CVSS 6.5).
CISA has mandated federal agencies to remediate these vulnerabilities by June 3, 2026, to protect their networks and recommended that private organizations also take action. The catalog aims to mitigate the risk from known vulnerabilities.