**U.S. CISA Adds Google Chromium and Sierra Wireless AirLink ALEOS Flaws to its Known Exploited Vulnerabilities Catalog**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in protecting the nation's cyber landscape by adding two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

**Google Chromium Flaw: A High-Severity Threat**

CVE-2025-14174 is a high-severity flaw that affects Google Chrome on Mac prior to version 143.0.7499.110. According to the CISA, an attacker can exploit this vulnerability by sending a crafted HTML page to the victim's device, leading to out-of-bounds memory access.

What makes this threat even more alarming is that Google has already released security updates to fix three vulnerabilities in the Chrome browser, including this high-severity flaw. In fact, Google acknowledged that an exploit for this vulnerability exists in the wild, indicating that threat actors are actively exploiting it in real-world attacks.

To understand the technical details behind this bug, let's take a look at a related GitHub commit. According to the commit, the issue lies in the ANGLE graphics library, specifically its Metal renderer, where buffer sizes were incorrectly calculated using pixelsDepthPitch, derived from GL_UNPACK_IMAGE_HEIGHT. This incorrect calculation can cause buffer overflows, leading to memory corruption, crashes, or potentially arbitrary code execution.

**Sierra Wireless AirLink ALEOS Flaw: Remote Code Execution**

CVE-2018-4063 is a remote code execution flaw in Sierra Wireless AirLink ES450 FW 4.9.3 that affects the upload.cgi component. An authenticated attacker can send a crafted HTTP request to upload and execute malicious code on the device's web server.

**What Does This Mean for Federal Agencies and Private Organizations?**

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have been ordered to address these identified vulnerabilities by January 2nd, 2026. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

As CISA emphasizes, addressing these vulnerabilities is crucial to protect networks against attacks exploiting the flaws in the catalog. Private organizations should take immediate action to patch these vulnerabilities and prevent potential breaches.

**Stay Informed**

Follow me on Twitter (@securityaffairs) and Facebook and Mastodon for the latest updates on cybersecurity news and trends. Stay informed, stay secure!

**Related Articles:**

* [Microsoft Windows and WinRAR Flaws Added to CISA's Known Exploited Vulnerabilities Catalog](link) * [Google Releases Security Updates to Fix Three High-Severity Chrome Browser Vulnerabilities](link)