U.S. CISA adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

The Latest Threats to Linux and Android

The U.S. Cybersecurity and Infrastructure Security Agency, CISA, has just added two significant vulnerabilities to its Known Exploited Vulnerabilities catalog. These are big deals. One is a high-severity privilege escalation flaw in the Linux kernel, tracked as CVE-2022-0492, and the other is a high-severity integer overflow vulnerability in the Android Framework, tracked as CVE-2025-48595. This means users of Linux and Android need to pay attention.

The Linux kernel flaw, CVE-2022-0492, allows an attacker to escape a container and execute arbitrary commands on the container host. That’s a serious problem, especially for users who utilize the control groups feature in the Linux kernel. On the Android side, CVE-2025-48595 can be exploited without user interaction, which makes it a significant threat. Google has already addressed CVE-2025-48595 with the release of June 2026 security patches.

Understanding the Vulnerabilities

CVE-2022-0492 is a particular concern because it affects the control groups feature in the Linux kernel. This feature is used to manage resources, so a flaw here can have serious consequences. The Android vulnerability, CVE-2025-48595, affects versions 14 through 16 of the operating system. To mitigate these vulnerabilities, users should apply the June 2026 security patches to their Android devices and update their Linux kernel to a version that fixes the CVE-2022-0492 vulnerability. Restricting access to the cgroups v1 release_agent functionality in the Linux kernel can also help.

Fallout and Response

The impact of these vulnerabilities cannot be overstated. They can be exploited to gain increased privileges or execute arbitrary commands on the container host. And since they can be exploited without user interaction, that makes them even more dangerous. We’ve seen this pattern before, with the exploitation of Log4j and OpenSSL vulnerabilities, which showed us the potential for widespread impact when open-source flaws are left unpatched. Organizations must prioritize patching and vulnerability management to mitigate these risks.

In response to these vulnerabilities, organizations should prioritize patching. This includes applying the June 2026 security patches to Android devices running versions 14 through 16 and updating the Linux kernel to a version that fixes the CVE-2022-0492 vulnerability. If a patch is unavailable, users can restrict access to the cgroups v1 release_agent functionality in the Linux kernel as a workaround. Organizations can also monitor for suspicious activity related to these vulnerabilities.

The timeline of events surrounding these vulnerabilities started with the discovery of CVE-2022-0492 in 2022 and CVE-2025-48595 in 2025. Recently, hackers began exploiting CVE-2025-48595 under limited targeted exploitation in the wild, prompting Google to release June 2026 security patches. CISA subsequently added both vulnerabilities to its Known Exploited Vulnerabilities catalog.

Sources

1. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
2. https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
3. https://nvd.nist.gov/vuln/detail/cve-2022-0492
4. https://cisa.gov/known-exploited-vulnerabilities
5. https://source.android.com/security/bulletin
6. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48595
7. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492