699eee792235758e12e070c1
CISA warns of active attacks exploiting Android, Linux bugs
CISA warns of active exploitation of two high-severity bugs: CVE-2025-48595 in Android (affecting Android 14–16; exploits require no user interaction; limited in-the-wild activity; patched in June 2026) and CVE-2022-0492 in the Linux kernel (cgroups v1; local privilege escalation and possible container escape; patches available for multiple kernel versions). Federal agencies must apply updates by June 5, 2026, and KEV serves as a warning to critical infrastructure and large organizations; neither flaw is currently flagged as ransomware-exploited.
CISA WARNS OF ACTIVE ATTACKS EXPLOITING ANDROID, LINUX BUGS
OverviewThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about active exploitation of vulnerabilities in both the Linux kernel and the Android operating system. The agency highlights two distinct flaws that are being tracked in the Known Exploited Vulnerabilities (KEV) catalog. One affects modern Android devices, while the other targets container-heavy Linux environments. The public advisories emphasize the importance of applying vendor patches and reviewing affected systems to reduce the risk of privilege escalation and potential root access.
Android: CVE-2025-48595 in the FrameworkWhat it is
- A high-severity integer overflow vulnerability found in the Android Framework.
- Exploitation can enable increased privileges without any user interaction.
Impact and scope
- Affects Android versions 14 through 16.
- Confirmed to be exploitable in the wild under limited targeted circumstances, though detailed exploit activity has not been publicly disclosed.
Patch status
- Addressed with the June 2026 security patches.
- Patch levels referenced: 2026-06-01 and 2026-06-05.
Context
- Google’s security bulletin indicates that the flaw can be exploited without user action, underscoring why devices running affected Android versions should be updated promptly where possible.
- The vulnerability is listed in KEV, signaling heightened awareness by federal and organizational defenders and encouraging rapid remediation.
Linux: CVE-2022-0492 and the Cgroups v1 RiskWhat it is
- A high-severity privilege escalation flaw within the cgroups v1 subsystem, specifically residing in the cgroupreleaseagent_write() function.
- The issue stems from insufficient authentication checks, enabling a local attacker to bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host.
Impact and scope
- Affects multiple Linux kernel branches, spanning 2.6 through 4.20 and 5.5 through 5.17.
- Particularly dangerous in containerized environments that rely on cgroups v1 and in scenarios where containers are granted elevated capabilities.
Patch status and affected kernels
- The Linux kernel versions addressing the issue include:
- 4.9.301+
- 4.14.266+
- 4.19.229+
- 5.4.177+
- 5.10.97+
- 5.15.20+
- 5.16.6+
- 5.17-rc3+
Organizational and policy context
- By including CVE-2022-0492 in KEV, the directive under BOD 22-01 requires federal agencies to apply the vendor-provided updates and mitigations or to discontinue use of the affected software.
- The KEV listing also serves as a broader advisory for critical infrastructure entities and large organizations to act with similar urgency.
Exploitation landscape and cautions
- Neither flaw is marked as being exploited by ransomware groups in KEV entries, but the potential for elevated access and container breakout has kept security teams vigilant.
- The advisory context stresses the importance of timely patching and monitoring of affected systems across both desktop/server and containerized environments.
Validation and broader security notesA broader discussion accompanies these advisories about how security testing is conducted in modern environments. Automated pentesting tools excel at answering whether an attacker can move laterally through a network, but they may miss whether existing controls block threats, whether detection rules respond appropriately, or whether cloud configurations resist abuse. A referenced guide explores six critical surfaces that organizations should validate to close gaps beyond what automated tools typically reveal. This emphasis on comprehensive validation highlights the ongoing shift from purely discovery-focused testing to thorough assurance across multiple layers of security controls.
Contextual references and related themes
- The KEV framework continues to function as a centralized notification mechanism for actively exploited or high-risk vulnerabilities across federal and civilian architectures.
- Industry analyses from trusted security researchers and vendors often discuss how exploits intersect with container security, kernel hardening, and how patch adoption timelines affect risk posture.
- Related discussions note continued attention to actively exploited Android updates and broader vulnerability management practices, reinforcing the need for ongoing monitoring of vendor advisories and patch cycles.
Key takeaways
- Two major flaws, CVE-2025-48595 in Android and CVE-2022-0492 in Linux cgroups v1, have driven current defensive focus due to their potential to escalate privileges and compromise system integrity.
- Android devices on versions 14–16 should be updated to the June 2026 patch levels to mitigate the Android flaw.
- Linux environments relying on cgroups v1, especially within containerized deployments, should ensure kernel updates are applied across the affected version ranges to close privilege escalation paths.
- The KEV catalog serves as both a reminder and a call to action for critical infrastructure and government-adjacent environments to review and, where necessary, remake their patching and risk management strategies in response to these active threats.
- Broader security validation remains essential: organizations should complement automated testing with multi-surface verification to ensure controls, detections, and configurations collectively withstand real-world attack scenarios.
