Changeflow GovPing Government CISA Adds Two Exploited Vulnerabilities to KEV ...
Priority review Notice Added Final

CISA Adds Two Exploited Vulnerabilities to KEV Catalog

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published March 13th, 2026
Detected March 13th, 2026
Email

Summary

CISA has added two new vulnerabilities, CVE-2026-3909 and CVE-2026-3910, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities per Binding Operational Directive (BOD) 22-01.

View original document View source feed page

What changed

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog by adding two new vulnerabilities: CVE-2026-3909 (Google Skia Out-of-Bounds Write Vulnerability) and CVE-2026-3910 (Google Chromium V8 Unspecified Vulnerability). These additions are based on evidence of active exploitation and are considered significant risks to the federal enterprise.

Federal Civilian Executive Branch (FCEB) agencies are mandated by Binding Operational Directive (BOD) 22-01 to remediate these identified vulnerabilities by the established due date to protect their networks. While BOD 22-01 specifically applies to FCEB agencies, CISA strongly recommends that all organizations prioritize the remediation of vulnerabilities listed in the KEV Catalog as part of their ongoing vulnerability management practices to mitigate cyberattack risks.

What to do next

  1. FCEB agencies must remediate CVE-2026-3909 and CVE-2026-3910 by the due date specified in BOD 22-01.
  2. All organizations are strongly urged to prioritize remediation of these vulnerabilities as part of their vulnerability management program.

Source document (simplified)

Alert

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Release Date

March 13, 2026

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2026-3909 Google Skia Out-of-Bounds Write Vulnerability
  • CVE-2026-3910 Google Chromium V8 Unspecified Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Related changes

Favicon for sam.gov SAM.gov Entity Exclusions Unavailable Due to Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Registration and Exclusions Unavailable
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Exclusions Unavailable During Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Government
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Published
March 13th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Government agencies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Vulnerability Management Federal IT Security

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Government alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.