HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

CISA Adds Android and Linux Kernel Flaws to Known Exploited Vulnerabilities Catalog

CISA has placed two critical OS vulnerabilities—CVE‑2022‑0492 (Linux kernel) and CVE‑2025‑48595 (Android framework)—into its KEV catalog, citing active exploitation. Organizations that rely on Linux containers or Android devices must patch or mitigate by June 5 2026 to avoid privilege‑escalation attacks.

LiveThreat™ Intelligence · 📅 June 03, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

CISA Adds Android and Linux Kernel Flaws to Known Exploited Vulnerabilities Catalog

What Happened – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that two critical flaws—CVE‑2022‑0492 (Linux kernel cgroup privilege‑escalation) and CVE‑2025‑48595 (Android framework integer‑overflow)—have been added to its Known Exploited Vulnerabilities (KEV) catalog. Both vulnerabilities are actively exploited in the wild, with the Android issue showing limited, targeted attacks.

Why It Matters for TPRM

- Both flaws enable privilege escalation on widely‑deployed platforms (Linux containers and Android devices), expanding the attack surface for any third‑party service that relies on them.

- CISA’s mandate forces federal agencies—and strongly recommends private firms—to remediate by June 5 2026, creating a tight remediation window.

- Supply‑chain risk spikes when vendors cannot patch quickly, potentially exposing downstream customers to data loss or service disruption.

Who Is Affected – Cloud‑service providers, SaaS platforms, MSPs, and any organization that runs Linux‑based containers or supports Android‑based endpoints (e.g., mobile device management, BYOD programs).

Recommended Actions

  • Verify whether any third‑party vendors host Linux containers or ship Android devices.
  • Confirm that patches for CVE‑2022‑0492 (kernel ≥ 5.15.0‑rc5) and CVE‑2025‑48595 (Android Security Patch 2025‑03) are applied.
  • If patches are unavailable, implement compensating controls (e.g., restrict cgroup release_agent usage, enforce application‑level sandboxing).
  • Update your KEV monitoring feeds and adjust risk scores for affected vendors.

Technical Notes

- CVE‑2022‑0492: Improper authentication in Linux cgroups v1 release_agent allows a local attacker to escape a container and gain root on the host (CVSS 7.0).

- CVE‑2025‑48595: Integer overflow in Android framework code leads to arbitrary code execution and privilege escalation on Android 14‑16 devices (CVSS 8.4).

- Both are being exploited; the Android flaw shows “limited, targeted exploitation.”

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/193067/security/u-s-cisa-adds-android-and-linux-kernel-flaws-to-its-known-exploited-vulnerabilities-catalog.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →