All incidents

CISA adds Linux kernel CVE-2022-0492 and Android CVE-2025-48595 to KEV catalogue

vulnerabilityclosedJun 2, 2026 — Jun 3, 2026
CISA adds Linux kernel CVE-2022-0492 and Android CVE-2025-48595 to KEV catalogue

THE Cybersecurity and Infrastructure Security Agency has added CVE-2022-0492 and CVE-2025-48595 to its Known Exploited Vulnerabilities catalogue after confirming active exploitation in the wild. The Linux kernel flaw permits local privilege escalation through improper authentication, while the Android Framework integer overflow enables code execution with elevated privileges. Federal agencies must apply mitigations by 5 June 2026 to avoid potential operational disruption.

CVE-2022-0492 resides in the cgroups v1 release_agent mechanism where an insufficient authentication check lets a local user with access to the host trigger a privileged release agent script, thereby gaining root‑level control. The vulnerability carries a CVSS v3.1 score of 7.8 and is rated HIGH. Patches have been issued by distributors such as Debian (DSA‑5095) and are incorporated in mainline kernel commit 24f6008564183aa120d07c03d9289519c2fe02af, as noted in the CISA advisory published on the KEV catalogue.

CVE-2025-48595 is an integer‑overflow vulnerability in the Android Framework component that can be triggered by a low‑privilege local user, leading to arbitrary code execution with system‑level privileges. The flaw received a CVSS v3.1 score of 8.4, also rated HIGH, and affects Android 14 and later releases. Google addressed the issue in the June 2026 security bulletin, which is referenced in the CISA entry here and detailed in the Android security update bulletin.

Although no specific threat actor has been linked to either vulnerability, their inclusion in the KEV catalogue confirms that attackers are actively exploiting them in the wild. Security researchers have observed attempts to abuse the Linux cgroups flaw to break out of container environments, while the Android overflow has been used in local privilege‑escalation chains targeting unpatched devices. The June 2026 Android update that patches CVE-2025-48595 also resolved 123 additional vulnerabilities, as reported by SecurityWeek here.

Defenders should prioritise applying the latest kernel patches from their distribution vendors and ensure that Android devices are updated to the June 2026 security patch level or later. Administrators must review cgroup configurations, disabling the release_agent feature where it is not required, and enforce strict limits on local user access to critical host resources. For mobile environments, implementing mobile‑device‑management policies that enforce timely update deployment will reduce the risk of exploitation.

Federal civilian agencies are required to remediate both flaws by 5 June 2026 in accordance with CISA’s binding directive, but the same timeline serves as a useful benchmark for private sector organisations seeking to stay ahead of active exploits. Maintaining an up‑to‑date asset inventory, validating patch deployment through vulnerability scanners, and monitoring for unexpected privilege‑escalation alerts will help ensure that these threats are neutralised before they can cause impact.

Intelligence briefing updated Jun 10, 2026

CVE-2025-48595 8.4 KEV CVE-2026-0059 8.0 CVE-2022-0492 7.8 KEV
Root sourcewww.cisa.gov
Timeline Coverage

Swipe to explore timeline