CISA adds seven CVEs to KEV Catalog, two from 2026

The five legacy entries are the detail worth pausing on. CVEs from 2008 and 2009 appearing on a 2026 KEV update means someone, somewhere, is actively exploiting vulnerabilities that have had patches available for roughly 17 years. That is not a software problem; it is an asset-management and patch-hygiene problem. FCEB agencies with any remaining exposure to these should treat remediation as overdue, not upcoming.

The two 2026 Microsoft Defender entries are more straightforward current-cycle items. An elevation-of-privilege flaw (CVE-2026-41091) and a denial-of-service flaw (CVE-2026-45498) in Defender warrant prompt patching precisely because Defender is a near-universal Windows endpoint component; widespread deployment means widespread attack surface.

Who is directly bound: Federal Civilian Executive Branch agencies under BOD 22-01. Remediation deadlines are posted per CVE on the KEV Catalog page.

Who should act anyway: Any organization running unpatched Windows XP-era or Office/IE stacks in operational environments, and any organization running current Windows with Defender enabled. The latter is most of the commercial and state/local government world.

CISA's standing guidance applies: prioritize KEV entries in your vulnerability management workflow regardless of BOD applicability. For CMMC-scoped contractors, KEV entries map directly to the active-exploit evidence threshold that can trigger heightened scrutiny in assessments.