CISA warns of active exploits targeting Android, Linux flaws
▼ Summary
– CISA warns that hackers are exploiting vulnerabilities in the Linux kernel and Android OS, adding two flaws to its Known Exploited Vulnerabilities catalog.
– CVE-2025-48595 is a high-severity Android Framework integer overflow in versions 14-16 that allows privilege escalation without user interaction.
– The second flaw, CVE-2022-0492, is a Linux kernel privilege escalation bug in the cgroups v1 subsystem that can enable container escape and root-level access.
– Federal agencies must apply vendor patches for both flaws by June 5, per the BOD 22-01 directive, or stop using the impacted software.
– Neither vulnerability is flagged as exploited by ransomware groups, though CISA urges critical infrastructure and large organizations to treat them with urgency.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are actively exploiting security flaws in both the Linux kernel and the Android operating system. These vulnerabilities have now been added to the agency’s Known Exploited Vulnerabilities (KEV) catalog, signaling a heightened risk for federal agencies and private sector organizations alike.
The most recent addition, tracked as CVE-2025-48595, is a high-severity integer overflow vulnerability found within the Android Framework. This flaw allows an attacker to escalate privileges on affected devices. According to Google’s latest security bulletin, the issue impacts Android versions 14 through 16 and can be exploited without any user interaction. Google has acknowledged that CVE-2025-48595 may be under limited, targeted exploitation in the wild, though it has not disclosed specific technical details or incident information. Patches were released as part of the June 2026 security update, covering both the 2026-06-01 and 2026-06-05 security patch levels.
The second vulnerability, CVE-2022-0492, is a high-severity privilege escalation flaw that affects a broad range of Linux kernel versions, from 2.6 through 4.20 and from 5.5 through 5.17. The issue resides in the `cgroupreleaseagent_write()` function within the cgroups v1 subsystem. Due to insufficient authentication checks, a local attacker can bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host system. Past reports from Aqua Security and Palo Alto Networks highlight that this flaw primarily endangers containerized environments using cgroups v1, especially when containers are granted elevated capabilities.
The following Linux kernel versions contain the fix: 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+.
By adding both vulnerabilities to the KEV catalog, CISA mandates that all federal agencies subject to BOD 22-01 must apply the vendor-provided security updates or discontinue use of the affected software. The compliance deadline is set for June 5. Beyond federal mandates, the KEV catalog serves as a critical alert for critical infrastructure operators and large enterprises, who are urged to treat these flaws with the same urgency as ransomware-level threats. Notably, neither vulnerability has been flagged as exploited by ransomware groups, a specific marker CISA uses to indicate additional severity and patching priority.
(Source: BleepingComputer)
