The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system.
The most recent flaw the agency added to its Known Exploited Vulnerabilities (KEV) catalog, CVE-2025-48595, is a high-severity integer overflow vulnerability in the Android Framework, which can be leveraged for increased privileges.
According to Google’s recent security bulletin, the security issue impacts Android 14 through 16, and requires no user interaction to exploit.
Google indicated that CVE-2025-48595 may be under limited targeted exploitation in the wild, but provided no specific details about the activity or technical information about the flaw or the incidents.
The issue has been addressed with the release of June 2026 security patches (2026-06-01 and 2026-06-05 security patch levels).
The second vulnerability CISA added to KEV is tracked as CVE-2022-0492, a high-severity privilege escalation flaw that impacts multiple Linux kernel branches, from 2.6 through 4.20, and from 5.5 through 5.17.
The flaw lies in the ‘cgroup_release_agent_write()’ function of the cgroups v1 subsystem, which, due to insufficient authentication checks, can be abused by a local attacker to bypass namespace isolation, escalate privileges, and potentially escape from a container to gain root-level access on the host system.
According to past reports from Aqua Security and Palo Alto Networks, the issue primarily impacts containerized environments using cgroups v1, and is especially dangerous when containers are granted elevated capabilities.
The Linux kernel versions that address the issue are:
- 4.9.301+
- 4.14.266+
- 4.19.229+
- 5.4.177+
- 5.10.97+
- 5.15.20+
- 5.16.6+
- 5.17-rc3+
By including the two flaws in KEV, all federal agencies bound by the BOD 22-01 directive are required to apply the vendor-provided security updates and mitigations, or to stop using the impacted software. CISA set the deadline for June 5.
However, the KEV also serves as a notice board for critical infrastructure entities and large organizations in general, who should take security measures against these flaws with the same urgency.
Neither of the flaws is marked as exploited by ransomware groups, which is a specific flag CISA uses on its KEV entries to highlight additional severity and patching urgency.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
