CISA Warns of Active Exploits Targeting Android, Linux Flaws

Key Takeaways

• CVE-2025-48595 affects Android 14-16 and requires no user interaction to exploit
• CVE-2022-0492 is a 2022 Linux kernel flaw now confirmed actively exploited in the wild
• Federal agencies must patch or stop using affected software by June 5, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on June 3, 2026, about active exploitation of vulnerabilities in Android and the Linux kernel. Both flaws allow attackers to escalate privileges on affected systems.

CISA added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This means federal agencies bound by directive BOD 22-01 must apply patches or stop using the affected software by June 5, 2026.

The Android Vulnerability: CVE-2025-48595

The first flaw, CVE-2025-48595, is a high-severity integer overflow vulnerability in the Android Framework. It affects Android versions 14 through 16. Attackers can use it to gain elevated privileges on a target device.

What makes this flaw particularly dangerous: it requires no user interaction to exploit. A victim doesn't need to click a malicious link or install a rogue app. The attacker can trigger the vulnerability without any help from the user.

Google acknowledged in its June 2026 security bulletin that CVE-2025-48595 "may be under limited targeted exploitation in the wild." The company did not share technical details about the flaw or information about who is exploiting it.

Google addressed the issue in the June 2026 security patches. Devices running security patch levels 2026-06-01 or 2026-06-05 are protected.

The Linux Kernel Vulnerability: CVE-2022-0492

The second vulnerability is older but still causing problems. CVE-2022-0492 is a high-severity privilege escalation flaw in the Linux kernel. It affects kernel versions 2.6 through 4.20, and versions 5.5 through 5.17.

The bug exists in the cgroup_release_agent_write() function within the cgroups v1 subsystem. Insufficient authentication checks allow a local attacker to bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host system.

Previous reports from Aqua Security and Palo Alto Networks found the issue primarily impacts containerized environments using cgroups v1. It's especially dangerous when containers run with elevated capabilities.

Patched Linux Kernel Versions

Organizations should ensure they're running one of these patched kernel versions:

• 4.9.301 or later
• 4.14.266 or later
• 4.19.229 or later
• 5.4.177 or later
• 5.10.97 or later
• 5.15.20 or later
• 5.16.6 or later
• 5.17-rc3 or later

What This Means for Organizations

CISA's KEV catalog serves two purposes. First, it mandates action for federal agencies. Second, it signals to critical infrastructure operators and large organizations that they should treat these flaws with equal urgency.

Neither vulnerability is marked as exploited by ransomware groups. CISA uses that flag to highlight additional severity. However, privilege escalation flaws are often precursors to broader attacks. Gaining elevated access is typically step one in a larger compromise.

For Android users, the fix is straightforward: install the June 2026 security update when your device manufacturer makes it available. For Linux administrators, especially those running containerized workloads, audit your kernel versions and patch any systems still vulnerable to CVE-2022-0492.

Frequently Asked Questions

What is the CISA KEV catalog?

The Known Exploited Vulnerabilities catalog is a list maintained by CISA of security flaws confirmed to be actively exploited in the wild. Federal agencies must patch KEV-listed vulnerabilities within specified deadlines.

How do I check if my Android device is patched for CVE-2025-48595?

Go to Settings > About Phone > Android Security Patch Level. If it shows 2026-06-01 or 2026-06-05 or later, your device has the fix.

Does CVE-2022-0492 affect all Linux systems?

It primarily affects systems using cgroups v1, especially containerized environments. Systems running cgroups v2 or patched kernel versions are not vulnerable.

Are these vulnerabilities being used by ransomware groups?

CISA has not flagged either vulnerability as exploited by ransomware groups. However, privilege escalation flaws are commonly used in the early stages of ransomware attacks.

What's the deadline for federal agencies to patch?

Federal agencies bound by BOD 22-01 must apply patches or stop using affected software by June 5, 2026.

Source: BleepingComputer