CISA Flags Active Exploitation of Linux Kernel CVE‑2022‑0492 and Android Framework CVE‑2025‑48595 in KEV Catalog
What It Is — The Cybersecurity and Infrastructure Security Agency (CISA) added two CVEs to its Known Exploited Vulnerabilities (KEV) catalog, confirming that threat actors are actively exploiting these flaws in the Linux kernel and Android framework. Both vulnerabilities allow privilege escalation or remote code execution, posing a direct risk to any environment running the affected components.
Exploitability — Evidence of active exploitation in the wild; both CVEs have publicly available exploit code and have been observed in targeted attacks. CVSS v3.1 scores: CVE‑2022‑0492 = 9.8 (Critical), CVE‑2025‑48595 = 8.6 (High).
Affected Products —
- Linux Kernel (all distributions shipping kernel 5.10 and earlier that include the vulnerable authentication path).
- Android Framework (devices running Android 13 and earlier that include the vulnerable integer‑overflow handling).
TPRM Impact —
- Third‑party software that embeds the Linux kernel (e.g., cloud‑hosted Linux VMs, container runtimes) inherits the risk.
- Mobile‑app providers and OEMs that ship Android OS updates may expose their customers to credential theft or device compromise.
Recommended Actions —
- Prioritize patching of affected Linux kernels and Android OS versions per vendor advisories.
- Verify that all third‑party SaaS and cloud providers have applied the patches to their underlying infrastructure.
- Update vulnerability‑management tools to flag CVE‑2022‑0492 and CVE‑2025‑48595 as “high‑severity – active exploitation.”
- Conduct a rapid risk assessment for any downstream services that rely on vulnerable components and consider temporary mitigations (e.g., network segmentation, firewall rules).
- Document remediation status to satisfy BOD 22‑01 compliance requirements.
Source: CISA Advisory – Two Known Exploited Vulnerabilities Added to KEV Catalog (June 2 2026)