THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new flaws to its Known Exploited Vulnerabilities catalog affecting Broadcom VMware Aria Operations and Qualcomm components. The vulnerabilities are CVE-2026-22719, a Broadcom VMware Aria Operations Command Injection vulnerability with a CVSS score of 8.1, and CVE-2026-21385, a Qualcomm memory corruption flaw affecting multiple chipsets with a CVSS score of 7.8.
In February, Broadcom released security updates for VMware Aria Operations to address these issues, which enable an unauthenticated attacker to execute arbitrary commands and potentially achieve remote code execution, particularly during support-assisted product migration. Google has confirmed that CVE-2026-21385 is under limited, targeted exploitation for Android devices, while CVE-2026-22719 was privately reported to Broadcom.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, agencies must address the identified flaws, with CISA ordering federal entities to fix them by 24 March 2026.