CISA warns – The U.S. Cybersecurity and Infrastructure Security Agency added two high-severity vulnerabilities—one in Android Framework (CVE-2025-48595) and one in the Linux kernel cgroups v1 subsystem (CVE-2022-0492)—to its Known Exploited Vulnerabilities catalog, warning
For the third time in recent weeks, CISA’s Known Exploited Vulnerabilities catalog has become a countdown clock for defenders—this time with attacks tied to both Android and the Linux kernel.
The U.S. Cybersecurity and Infrastructure Security Agency is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. The latest addition to the KEV catalog is CVE-2025-48595, a high-severity integer overflow vulnerability in the Android Framework. CISA says it can be leveraged for increased privileges.
Google’s recent security bulletin places the impact squarely on Android 14 through 16. Unlike many flaws, Google said the issue can be exploited without requiring user interaction. Google also indicated CVE-2025-48595 may be under limited targeted exploitation in the wild. but did not provide specific details about the activity. the incidents. or technical information about the flaw.
The fix is already out. CISA pointed to the release of June 2026 security patches at two dates—2026-06-01 and 2026-06-05 security patch levels.
CISA didn’t stop there. The second vulnerability added to KEV is CVE-2022-0492, another high-severity flaw involving privilege escalation across multiple Linux kernel branches. It affects kernel versions from 2.6 through 4.20, and from 5.5 through 5.17.
The problem sits in the ‘cgroup_release_agent_write()’ function of the cgroups v1 subsystem. CISA says insufficient authentication checks allow a local attacker to abuse the feature to bypass namespace isolation. escalate privileges. and potentially escape from a container to gain root-level access on the host system.
Past reporting from Aqua Security and Palo Alto Networks described why the risk can be so sharp in practice: the issue primarily impacts containerized environments using cgroups v1. and it becomes especially dangerous when containers are granted elevated capabilities. CISA also listed the Linux kernel versions that address the issue: 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+.
Once both flaws are in the KEV catalog, the consequences extend beyond advice. By including the two vulnerabilities in KEV. all federal agencies bound by the BOD 22-01 directive are required to apply the vendor-provided security updates and mitigations. or stop using the impacted software. CISA set the deadline for June 5.
The catalog also functions as a notice board for critical infrastructure entities and large organizations in general, pushing them to respond with similar urgency.
Neither flaw is marked as exploited by ransomware groups—an additional flag CISA uses within KEV entries to indicate heightened severity and faster patching urgency.
CISA Known Exploited Vulnerabilities KEV CVE-2025-48595 Android Framework integer overflow CVE-2022-0492 Linux kernel cgroups v1 privilege escalation container escape cybersecurity alerts