CISA warns of active attacks exploiting Android, Linux bugs

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-48595, an integer overflow flaw in Android Framework affecting versions 14-16, and CVE-2022-0492, a privilege escalation vulnerability in the Linux kernel's cgroups v1 subsystem. Both flaws are being actively exploited in the wild, with the Android vulnerability requiring no user interaction and the Linux flaw particularly dangerous in containerized environments, prompting CISA to set a June 5 remediation deadline for federal agencies under BOD 22-01.

Full text

CISA warns of active attacks exploiting Android, Linux bugs By Bill Toulas June 3, 2026 11:36 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. The most recent flaw the agency added to its Known Exploited Vulnerabilities (KEV) catalog, CVE-2025-48595, is a high-severity integer overflow vulnerability in the Android Framework, which can be leveraged for increased privileges. According to Google’s recent security bulletin, the security issue impacts Android 14 through 16, and requires no user interaction to exploit. Google indicated that CVE-2025-48595 may be under limited targeted exploitation in the wild, but provided no specific details about the activity or technical information about the flaw or the incidents. The issue has been addressed with the release of June 2026 security patches (2026-06-01 and 2026-06-05 security patch levels). The second vulnerability CISA added to KEV is tracked as CVE-2022-0492, a high-severity privilege escalation flaw that impacts multiple Linux kernel branches, from 2.6 through 4.20, and from 5.5 through 5.17. The flaw lies in the ‘cgroup_release_agent_write()’ function of the cgroups v1 subsystem, which, due to insufficient authentication checks, can be abused by a local attacker to bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host system. According to past reports from Aqua Security and Palo Alto Networks, the issue primarily impacts containerized environments using cgroups v1, and is especially dangerous when containers are granted elevated capabilities. The Linux kernel versions that address the issue are: 4.9.301+ 4.14.266+ 4.19.229+ 5.4.177+ 5.10.97+ 5.15.20+ 5.16.6+ 5.17-rc3+ By including the two flaws in KEV, all federal agencies bound by the BOD 22-01 directive are required to apply the vendor-provided security updates and mitigations, or to stop using the impacted software. CISA set the deadline for June 5. However, the KEV also serves as a notice board for critical infrastructure entities and large organizations in general, who should take security measures against these flaws with the same urgency. Neither of the flaws is marked as exploited by ransomware groups, which is a specific flag CISA uses on its KEV entries to highlight additional severity and patching urgency. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Analysis of one billion CISA KEV remediation records exposes limits of human-scale securityCISA flags Windows Task Host vulnerability as exploited in attacksCISA orders feds to patch exploited Fortinet EMS flaw by FridayCISA flags two-year-old Oracle flaw as actively exploited in attacksGoogle fixes one actively exploited Android zero-day, 124 flaws

Indicators of Compromise

• cve — CVE-2025-48595
• cve — CVE-2022-0492

Entities