CISA warns of active attacks exploiting Android, Linux bugs
CISA has issued a warning about active exploitation of two vulnerabilities affecting Android and Linux systems. The first is CVE-2025-48595, a high-severity integer overflow in the Android Framework impacting Android versions 14 through 16, which allows privilege escalation without user interaction. The second is CVE-2022-0492, a high-severity privilege escalation flaw in the Linux kernel's cgroups v1 subsystem, enabling local attackers to bypass namespace isolation and potentially escape containers to gain root access. Both vulnerabilities are included in CISA's Known Exploited Vulnerabilities catalog, requiring federal agencies to patch or discontinue use by June 5, 2026. The Android flaw has been addressed in June 2026 security patches, and the Linux kernel flaw is fixed in specified kernel versions. Neither vulnerability is currently linked to ransomware group exploitation.
AI Analysis
Technical Summary
This threat involves two actively exploited vulnerabilities identified by CISA. CVE-2025-48595 is an integer overflow in the Android Framework affecting Android 14 to 16, exploitable without user interaction for privilege escalation. Google released patches in June 2026 to remediate this issue. CVE-2022-0492 is a privilege escalation vulnerability in the Linux kernel's cgroup_release_agent_write() function within the cgroups v1 subsystem. It allows local attackers to bypass namespace isolation and escape containers, gaining root privileges on the host. This flaw affects multiple Linux kernel branches from 2.6 through 4.20 and 5.5 through 5.17 and is fixed in kernel versions 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+. Both vulnerabilities are listed in CISA's KEV catalog, triggering mandatory remediation for federal agencies under BOD 22-01.
Potential Impact
Successful exploitation of CVE-2025-48595 can lead to privilege escalation on affected Android devices without user interaction, potentially allowing attackers to gain elevated privileges. CVE-2022-0492 enables local attackers to bypass container isolation and escalate privileges to root on the host system, particularly impacting containerized environments using cgroups v1 with elevated capabilities. These impacts pose significant risks to system integrity and security, especially in environments relying on containerization and Android devices running vulnerable versions.
Mitigation Recommendations
For CVE-2025-48595, apply the June 2026 Android security patches (2026-06-01 and 2026-06-05 security patch levels) provided by Google. For CVE-2022-0492, upgrade Linux kernels to versions 4.9.301 or later, 4.14.266 or later, 4.19.229 or later, 5.4.177 or later, 5.10.97 or later, 5.15.20 or later, 5.16.6 or later, or 5.17-rc3 or later as appropriate. Federal agencies must comply with CISA's BOD 22-01 directive to patch or discontinue use of affected software by June 5, 2026. Organizations should prioritize patching these vulnerabilities promptly. No additional vendor advisories indicate that no action is required or that these issues are mitigated by other means.
CISA warns of active attacks exploiting Android, Linux bugs
Description
CISA has issued a warning about active exploitation of two vulnerabilities affecting Android and Linux systems. The first is CVE-2025-48595, a high-severity integer overflow in the Android Framework impacting Android versions 14 through 16, which allows privilege escalation without user interaction. The second is CVE-2022-0492, a high-severity privilege escalation flaw in the Linux kernel's cgroups v1 subsystem, enabling local attackers to bypass namespace isolation and potentially escape containers to gain root access. Both vulnerabilities are included in CISA's Known Exploited Vulnerabilities catalog, requiring federal agencies to patch or discontinue use by June 5, 2026. The Android flaw has been addressed in June 2026 security patches, and the Linux kernel flaw is fixed in specified kernel versions. Neither vulnerability is currently linked to ransomware group exploitation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves two actively exploited vulnerabilities identified by CISA. CVE-2025-48595 is an integer overflow in the Android Framework affecting Android 14 to 16, exploitable without user interaction for privilege escalation. Google released patches in June 2026 to remediate this issue. CVE-2022-0492 is a privilege escalation vulnerability in the Linux kernel's cgroup_release_agent_write() function within the cgroups v1 subsystem. It allows local attackers to bypass namespace isolation and escape containers, gaining root privileges on the host. This flaw affects multiple Linux kernel branches from 2.6 through 4.20 and 5.5 through 5.17 and is fixed in kernel versions 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+. Both vulnerabilities are listed in CISA's KEV catalog, triggering mandatory remediation for federal agencies under BOD 22-01.
Potential Impact
Successful exploitation of CVE-2025-48595 can lead to privilege escalation on affected Android devices without user interaction, potentially allowing attackers to gain elevated privileges. CVE-2022-0492 enables local attackers to bypass container isolation and escalate privileges to root on the host system, particularly impacting containerized environments using cgroups v1 with elevated capabilities. These impacts pose significant risks to system integrity and security, especially in environments relying on containerization and Android devices running vulnerable versions.
Mitigation Recommendations
For CVE-2025-48595, apply the June 2026 Android security patches (2026-06-01 and 2026-06-05 security patch levels) provided by Google. For CVE-2022-0492, upgrade Linux kernels to versions 4.9.301 or later, 4.14.266 or later, 4.19.229 or later, 5.4.177 or later, 5.10.97 or later, 5.15.20 or later, 5.16.6 or later, or 5.17-rc3 or later as appropriate. Federal agencies must comply with CISA's BOD 22-01 directive to patch or discontinue use of affected software by June 5, 2026. Organizations should prioritize patching these vulnerabilities promptly. No additional vendor advisories indicate that no action is required or that these issues are mitigated by other means.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/cisa-warns-of-active-attacks-exploiting-android-linux-bugs/","fetched":true,"fetchedAt":"2026-06-03T15:48:37.057Z","wordCount":687}
Threat ID: 6a204cd5e29bf47b50c9fc3a
Added to database: 6/3/2026, 3:48:37 PM
Last enriched: 6/3/2026, 3:48:45 PM
Last updated: 6/3/2026, 4:54:58 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.