CISA Warns of Active Attacks Exploiting Android and Linux Kernel Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities—one in the Android Framework and another in the Linux kernel—to its Known Exploited Vulnerabilities (KEV) catalog, confirming both are being actively targeted by threat actors. The first, CVE-2025-48595, is an integer overflow vulnerability in the Android Framework that allows attackers to escalate privileges without any user interaction. According to Google's June 2026 security bulletin, the flaw impacts Android versions 14 through 16 and has been observed under limited, targeted exploitation in the wild, though the company withheld technical specifics. Google addressed the issue in its June 2026 security patches (2026-06-01 and 2026-06-05 patch levels).

The second flaw, CVE-2022-0492, is a long-standing privilege escalation vulnerability affecting multiple Linux kernel branches ranging from 2.6 through 4.20 and 5.5 through 5.17. The bug resides in the cgroup_release_agent_write() function of the cgroups v1 subsystem, where insufficient authentication checks enable local attackers to bypass namespace isolation, escalate privileges, and potentially escape containerized environments to obtain root-level access on the host. Research from Aqua Security and Palo Alto Networks highlights that the vulnerability is particularly dangerous in containerized deployments using cgroups v1 with elevated capabilities. Patched kernel versions include 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+.

Under CISA's Binding Operational Directive 22-01, all U.S. federal agencies must apply vendor-provided patches or discontinue use of the affected software by June 5. While the directive applies directly to federal entities, CISA strongly encourages critical infrastructure operators and large enterprises to treat the KEV catalog as an urgent advisory board and remediate accordingly. Neither vulnerability is currently flagged for ransomware-linked exploitation, a designation CISA reserves for flaws posing heightened patching urgency.

Security teams managing mixed Android and Linux environments should prioritize patching immediately, especially in containerized production stacks where CVE-2022-0492 poses an elevated risk. Administrators can use a port scanner to identify exposed services on Linux hosts that may be reachable by attackers chaining the kernel privilege escalation, and run a SSL/TLS checker to ensure encrypted communications remain uncompromised across the affected infrastructure. For broader environment hardening, a privacy checkup can help surface additional misconfigurations that threat actors often exploit alongside known kernel and OS-level flaws.