Actively Exploited Linux and Android Flaws Prompt Urgent Patching by CISA

Summary

CISA has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-0492 and CVE-2025-48595. The former affects the Linux kernel, enabling attackers to bypass namespace isolation under specific conditions. The latter impacts Android devices, allowing privilege escalation without user interaction. Both vulnerabilities are exploited in targeted attacks, underscoring the urgency for organizations to apply patches.

What Happened

CISA's recent update to its KEV Catalog includes two newly identified vulnerabilities that have been actively exploited by malicious actors. CVE-2022-0492 affects the Linux kernel's cgroup management system, specifically exploiting a flaw in the cgroups v1 release_agent feature. This vulnerability allows attackers to escalate privileges and bypass namespace isolation, posing significant risks to systems relying on these security features.

Simultaneously, CVE-2025-48595 targets Android devices, stemming from an integer overflow issue within multiple components of the platform. This flaw enables local privilege escalation without requiring additional execution privileges or user interaction, making it particularly dangerous for mobile device security.

Technical Details

CVE-2022-0492 is rooted in a vulnerability within the Linux kernel's cgroup management system. The cgroups v1 release_agent feature, intended to manage resource limits for groups of processes, can be manipulated under certain conditions to escalate privileges and bypass namespace isolation. This flaw was identified through various bug reports and commits across multiple Linux distributions.

CVE-2025-48595 involves an integer overflow vulnerability within Android's Framework component. The issue allows attackers to execute code with elevated privileges on affected devices without needing further execution permissions or user interaction. Google has acknowledged limited, targeted exploitation of this vulnerability, indicating its potential use in sophisticated attack chains by commercial spyware vendors.

Affected Products and Fixed Versions

The Linux kernel is impacted by CVE-2022-0492, affecting systems that utilize the cgroups v1 release_agent feature. Specific distributions have addressed this issue through patches available in their respective repositories.

For Android devices, CVE-2025-48595 affects versions prior to the latest update announced by Google. The patch for this vulnerability is included in the most recent Android security updates, which address 124 vulnerabilities, including one zero-day exploit.

Exploitation Status

Both CVE-2022-0492 and CVE-2025-48595 are confirmed as actively exploited in the wild. CISA's inclusion of these vulnerabilities in its KEV Catalog highlights their significance and the ongoing threat they pose to affected systems. The exploitation of CVE-2025-48595, in particular, has been linked to targeted attacks by commercial spyware vendors.

Indicators of Compromise

While specific indicators of compromise (IOCs) for these vulnerabilities are not detailed in the available sources, organizations should monitor for unusual privilege escalations and unauthorized access attempts on their systems. Regularly reviewing system logs and employing intrusion detection systems can help identify potential exploitation activities.

Detection Opportunities

Organizations can detect potential exploitation of CVE-2022-0492 by monitoring for unexpected changes in namespace isolation settings or unauthorized privilege escalations within the Linux kernel's cgroup management system. For CVE-2025-48595, detecting unusual application behavior or unauthorized access attempts on Android devices may indicate exploitation.

Timeline

CVE-2022-0492 was identified and addressed through various bug reports and commits across multiple Linux distributions before being listed in CISA's KEV Catalog on June 2, 2026. CVE-2025-48595 was patched by Google in its latest Android update, which also included fixes for 123 other vulnerabilities.

Why This Matters for Defenders

The active exploitation of these vulnerabilities underscores the critical need for timely patch management and vulnerability remediation practices. Organizations must prioritize updating affected systems to mitigate the risks posed by CVE-2022-0492 and CVE-2025-48595, especially given their potential use in sophisticated attack chains.

What Remains Unclear

While the exploitation of these vulnerabilities is confirmed, specific details regarding the extent of attacks or the identities of the attackers remain unclear. Further investigation and information sharing among security communities may provide additional insights into these threats.

Defender Guidance

Organizations should immediately apply available patches for CVE-2022-0492 and CVE-2025-48595 to protect against active exploitation. Regularly updating systems, monitoring for unusual activities, and employing robust intrusion detection mechanisms are essential steps in defending against these vulnerabilities. Additionally, staying informed about the latest security advisories from CISA and other trusted sources can help organizations respond effectively to emerging threats.