Skip to main content
Emerging ThreatsMalware & Ransomware

CISA Warns of Active Exploits Targeting Android, Linux Flaws

Smartphone on a neutral surface with blurred background.

CVE-2025-48595 is a high-severity integer overflow in the Android Framework that "requires no user interaction to exploit," and Google says it "may be under limited targeted exploitation in the wild." That terse combination — a privilege-escalating bug affecting Android 14–16 and reportedly being used in targeted attacks — is why CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog alongside a long-standing Linux container escape bug.

CVE-2025-48595: Android Framework integer overflow and the vendor response

CISA flagged CVE-2025-48595 for active exploitation after Google’s bulletin identified it as a high-severity integer overflow in the Android Framework that can be leveraged to gain increased privileges. Google’s advisory says the flaw affects Android 14 through 16 and requires no user interaction to exploit. The company also said the issue "may be under limited targeted exploitation in the wild" but provided no technical details about incidents or the exploit itself.

Google addressed the issue with June 2026 security patches, referenced at the 2026-06-01 and 2026-06-05 security patch levels. By listing the CVE in KEV, CISA signals urgency for organizations that manage Android fleets to verify deployment of those June 2026 updates.

CVE-2022-0492: cgroup_release_agent_write(), containers, and privilege escalation

The other KEV addition, CVE-2022-0492, is a high-severity privilege escalation in the Linux kernel. The flaw is located in the cgroup_release_agent_write() function of the cgroups v1 subsystem; insufficient authentication checks can let a local attacker bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host.

Past reporting from Aqua Security and Palo Alto Networks, cited by CISA, emphasizes that the vulnerability primarily threatens containerized environments that use cgroups v1 and is especially dangerous when containers are granted elevated capabilities.

Patched kernel versions and the technical footprint

CISA and upstream maintainers list specific kernel versions that contain fixes for CVE-2022-0492. The Linux kernel versions that address the issue are:

  • 4.9.301+
  • 4.14.266+
  • 4.19.229+
  • 5.4.177+
  • 5.10.97+
  • 5.15.20+
  • 5.16.6+
  • 5.17-rc3+

The vulnerability impacts multiple kernel branches, described in CISA’s notice as spanning 2.6 through 4.20 and 5.5 through 5.17, underscoring broad exposure in legacy and intermediate kernel releases still present in many container and embedded deployments.

CISA’s KEV listing, the BOD 22-01 requirement, and the June 5 deadline

By adding CVE-2025-48595 and CVE-2022-0492 to its Known Exploited Vulnerabilities catalog, CISA has activated a binding requirement for federal agencies subject to Binding Operational Directive 22-01: apply the vendor-provided security updates and mitigations, or stop using the impacted software. CISA set the deadline for compliance at June 5.

KEV also functions as a public notice board. CISA notes that critical infrastructure entities and large organizations should take the same urgency in addressing these flaws, even where the BOD 22-01 mandate does not apply. Notably, neither entry carries CISA’s additional "exploited by ransomware groups" flag.

What this means for federal agencies, cloud/container operators, and Android device managers

  • Federal agencies: The BOD 22-01 directive requires agencies bound by it to install vendor updates or remove the impacted software by June 5. The KEV inclusion converts public advisories into an operational deadline.
  • Cloud and container operators: CVE-2022-0492 mainly affects cgroups v1 environments, with particular risk where containers run with elevated capabilities. Operators should verify kernel versions against the patched list and review whether cgroups v1 usage or container capability grants create exposure.
  • Android device managers and end-user device teams: Devices running Android 14–16 should be updated to the June 2026 security patch levels (2026-06-01 and 2026-06-05) that Google released to address CVE-2025-48595; the vulnerability requires no user interaction and is reported as under limited targeted exploitation.

CISA’s notice ties two different exploitation threads together — a current, targeted Android bug and a container escape that has persisted in kernel trees — and converts them into a near-term action item by invoking KEV and the BOD 22-01 deadline of June 5. Google’s acknowledgment that it has seen limited targeted exploitation, paired with the absence of technical detail about the incidents, leaves organizations with little choice but to rely on the vendor fixes and the kernel version list CISA circulated. Will the required patches and mitigations be applied widely and quickly enough to blunt these active threats by the deadline? The clock CISA set runs out on June 5.

Source: BleepingComputer — CISA warns of active attacks exploiting Android, Linux bugs