enforcementregulatorNewsMay 22The BroadsideMay 221 min read

CISA adds seven CVEs to KEV Catalog, two from 2026

Five of the seven entries are legacy vulnerabilities from 2008-2010, suggesting active exploitation of unpatched older systems alongside two current Microsoft Defender flaws.

TL;DR

CISA added seven CVEs to the Known Exploited Vulnerabilities Catalog on May 20, citing evidence of active exploitation. Five are legacy flaws dating to 2008-2010: a Microsoft Windows buffer overflow (CVE-2008-4250), a DirectX null-byte overwrite (CVE-2009-1537), an Adobe Acrobat heap buffer overflow (CVE-2009-3459), and two Internet Explorer use-after-free vulnerabilities (CVE-2010-0249, CVE-2010-0806). The two current entries are a Microsoft Defender elevation-of-privilege (CVE-2026-41091) and a Defender denial-of-service (CVE-2026-45498). BOD 22-01 requires FCEB agencies to remediate by the posted due dates. All others: check your KEV posture now.

CISA adds seven CVEs to KEV Catalog, two from 2026 — Editorial illustration · drawn by The Broadside

The five legacy entries are the detail worth pausing on. CVEs from 2008 and 2009 appearing on a 2026 KEV update means someone, somewhere, is actively exploiting vulnerabilities that have had patches available for roughly 17 years. That is not a software problem; it is an asset-management and patch-hygiene problem. FCEB agencies with any remaining exposure to these should treat remediation as overdue, not upcoming.

The two 2026 Microsoft Defender entries are more straightforward current-cycle items. An elevation-of-privilege flaw (CVE-2026-41091) and a denial-of-service flaw (CVE-2026-45498) in Defender warrant prompt patching precisely because Defender is a near-universal Windows endpoint component; widespread deployment means widespread attack surface.

Who is directly bound: Federal Civilian Executive Branch agencies under BOD 22-01. Remediation deadlines are posted per CVE on the KEV Catalog page.

Who should act anyway: Any organization running unpatched Windows XP-era or Office/IE stacks in operational environments, and any organization running current Windows with Defender enabled. The latter is most of the commercial and state/local government world.

CISA's standing guidance applies: prioritize KEV entries in your vulnerability management workflow regardless of BOD applicability. For CMMC-scoped contractors, KEV entries map directly to the active-exploit evidence threshold that can trigger heightened scrutiny in assessments.

Published May 22, 2026·Updated May 22, 2026·Deep Fathom