The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include newly identified security flaws impacting Cisco Catalyst SD-WAN, Arista’s Extensible Operating System (EOS), and Google’s Chromium V8 engine.
The vulnerabilities added to the catalog are:
- CVE-2026-7473 (CVSS v4.0 score: 6.9) – Arista EOS improper comparison issue
- CVE-2026-11645 – Google Chromium V8 out-of-bounds read/write vulnerability
- CVE-2026-20245 (CVSS v4.0 score: 7.1) – Cisco Catalyst SD-WAN Manager output encoding flaw
The Arista EOS issue (CVE-2026-7473) affects devices configured for tunnel decapsulation, including technologies such as VXLAN, GRE, and decap-groups. The flaw arises from improper validation during packet processing, allowing the system to accept and forward unexpected tunneled traffic if it matches a configured decapsulation IP address. Because the platform does not adequately verify the tunnel protocol type, unintended traffic may be processed, potentially resulting in traffic misdirection or bypass of security controls. This vulnerability has already been observed in active exploitation scenarios.
The Chromium flaw (CVE-2026-11645) is tied to an out-of-bounds memory access condition within the V8 JavaScript engine. Such vulnerabilities occur when a program interacts with memory outside its allocated boundaries, which can lead to a variety of impacts including application crashes, privilege escalation, or remote code execution. This issue is particularly significant as it represents the fifth Chrome zero-day vulnerability exploited in the wild so far in 2026. As is typical in these cases, Google has limited the release of technical details to reduce the risk of widespread abuse before patch adoption.
The Cisco Catalyst SD-WAN Manager vulnerability (CVE-2026-20245) involves improper input validation, which can enable command execution with elevated privileges. An authenticated attacker with local access and administrative-level permissions (netadmin) can exploit this flaw to run arbitrary commands with root-level access. Although exploitation requires valid credentials, attackers could obtain these through credential theft or by chaining with other vulnerabilities such as CVE-2026-20182 and CVE-2026-20127. At the time of reporting, no official patch or workaround has been released, increasing the urgency for compensating security measures.
Under Binding Operational Directive (BOD) 22-01, which is aimed at reducing risks associated with known and actively exploited vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities included in the KEV catalog by specified deadlines. This directive is designed to strengthen federal network defenses against ongoing threat activity.
Security professionals also advise private-sector organizations to closely monitor updates to the KEV catalog and promptly address any affected systems within their environments to minimize exposure.
CISA has set a remediation deadline of June 23, 2026, for federal agencies to address these vulnerabilities.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
