CISA adds three Arista, Chrome V8, Cisco flaws to KEV
The binding clock now matters more than the alert text, because the specific remediation due dates were not included here.
TL;DR
CISA added CVE-2026-7473 in Arista Extensible Operating System, CVE-2026-11645 in Google Chromium V8 and CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to the Known Exploited Vulnerabilities Catalog after evidence of active exploitation. Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by their due dates, though this alert does not state those dates. Contractors, primes and managed service providers supporting FCEB networks should treat the catalog entry, not the press alert, as the operational source.
CISA made a routine but operationally real update to the Known Exploited Vulnerabilities Catalog, adding CVE-2026-7473 in Arista Extensible Operating System, CVE-2026-11645 in Google Chromium V8 and CVE-2026-20245 in Cisco Catalyst SD-WAN Manager based on evidence of active exploitation. Binding Operational Directive 22-01 makes the catalog the controlling object for Federal Civilian Executive Branch remediation, so the missing detail in the alert is the one practitioners need most: the due date for each CVE. Agencies, contractors, primes and managed service providers supporting FCEB environments should verify the KEV entries directly, map exposure, and document remediation or mitigation against the BOD 22-01 timeline.
Published ·Deep Fathom