CISA Warns of Active Exploits Targeting Android, Linux Flaws
Key Takeaways
- CVE-2025-48595 affects Android 14-16 and requires no user interaction to exploit
- CVE-2022-0492 is a 2022 Linux kernel flaw now confirmed actively exploited in the wild
- Federal agencies must patch or stop using affected software by June 5, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on June 3, 2026, about active exploitation of vulnerabilities in Android and the Linux kernel. Both flaws allow attackers to escalate privileges on affected systems.
CISA added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This means federal agencies bound by directive BOD 22-01 must apply patches or stop using the affected software by June 5, 2026.
The Android Vulnerability: CVE-2025-48595
The first flaw, CVE-2025-48595, is a high-severity integer overflow vulnerability in the Android Framework. It affects Android versions 14 through 16. Attackers can use it to gain elevated privileges on a target device.
What makes this flaw particularly dangerous: it requires no user interaction to exploit. A victim doesn't need to click a malicious link or install a rogue app. The attacker can trigger the vulnerability without any help from the user.
Google acknowledged in its June 2026 security bulletin that CVE-2025-48595 "may be under limited targeted exploitation in the wild." The company did not share technical details about the flaw or information about who is exploiting it.
Google addressed the issue in the June 2026 security patches. Devices running security patch levels 2026-06-01 or 2026-06-05 are protected.
The Linux Kernel Vulnerability: CVE-2022-0492
The second vulnerability is older but still causing problems. CVE-2022-0492 is a high-severity privilege escalation flaw in the Linux kernel. It affects kernel versions 2.6 through 4.20, and versions 5.5 through 5.17.
The bug exists in the cgroup_release_agent_write() function within the cgroups v1 subsystem. Insufficient authentication checks allow a local attacker to bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host system.
Previous reports from Aqua Security and Palo Alto Networks found the issue primarily impacts containerized environments using cgroups v1. It's especially dangerous when containers run with elevated capabilities.
Patched Linux Kernel Versions
Organizations should ensure they're running one of these patched kernel versions:
- 4.9.301 or later
- 4.14.266 or later
- 4.19.229 or later
- 5.4.177 or later
- 5.10.97 or later
- 5.15.20 or later
- 5.16.6 or later
- 5.17-rc3 or later
What This Means for Organizations
CISA's KEV catalog serves two purposes. First, it mandates action for federal agencies. Second, it signals to critical infrastructure operators and large organizations that they should treat these flaws with equal urgency.
Neither vulnerability is marked as exploited by ransomware groups. CISA uses that flag to highlight additional severity. However, privilege escalation flaws are often precursors to broader attacks. Gaining elevated access is typically step one in a larger compromise.
For Android users, the fix is straightforward: install the June 2026 security update when your device manufacturer makes it available. For Linux administrators, especially those running containerized workloads, audit your kernel versions and patch any systems still vulnerable to CVE-2022-0492.
Logicity's Take
Frequently Asked Questions
What is the CISA KEV catalog?
The Known Exploited Vulnerabilities catalog is a list maintained by CISA of security flaws confirmed to be actively exploited in the wild. Federal agencies must patch KEV-listed vulnerabilities within specified deadlines.
How do I check if my Android device is patched for CVE-2025-48595?
Go to Settings > About Phone > Android Security Patch Level. If it shows 2026-06-01 or 2026-06-05 or later, your device has the fix.
Does CVE-2022-0492 affect all Linux systems?
It primarily affects systems using cgroups v1, especially containerized environments. Systems running cgroups v2 or patched kernel versions are not vulnerable.
Are these vulnerabilities being used by ransomware groups?
CISA has not flagged either vulnerability as exploited by ransomware groups. However, privilege escalation flaws are commonly used in the early stages of ransomware attacks.
What's the deadline for federal agencies to patch?
Federal agencies bound by BOD 22-01 must apply patches or stop using affected software by June 5, 2026.
Context on the broader 2026 threat landscape
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Samsung Shows HBM5 Mockup With Heat Path Block Cooling
Samsung unveiled its first physical HBM5 memory mockup at Computex 2026, featuring a new thermal design called Heat Path Block. The company confirmed it will manufacture HBM5's base die on its 2nm process, setting up a direct thermal engineering competition with SK hynix.
6 Ways to Stay Cool Indoors This Summer Without Breaking the Bank
As summer electricity bills hit a projected 12-year high of $784, homeowners are rethinking indoor cooling strategies. From supercooling techniques to strategic window management, here's how to survive the heat without destroying your budget.
Microsoft Surface RTX Spark Dev Box: 128GB RAM for Local AI
Microsoft announced the Surface RTX Spark Dev Box, a desktop workstation built around Nvidia's RTX Spark chip. The machine delivers 1 petaflop of AI compute and 128GB of unified memory, enough to run 120 billion parameter models locally without cloud dependency.