CISA Warns of Active Attacks Exploiting Android, Linux Bugs

CISA’s expansion of the KEV catalog underscores a growing trend: nation‑state and criminal actors are shifting focus toward flaws that require minimal user involvement. By flagging Android CVE‑2025‑48595, the agency signals that mobile platforms—especially those running the latest Android releases—are now high‑value targets. The vulnerability’s reliance on an integer overflow means attackers can silently obtain elevated privileges, a scenario that mirrors past exploits in the mobile ecosystem. Organizations must prioritize the June 2026 security patches to close this attack vector before it matures into a widespread campaign.

The Linux kernel flaw, CVE‑2022‑0492, illustrates the hidden risks in container orchestration. Exploiting a weak check in the cgroup_release_agent_write() function, a malicious process can leap from a confined container to the host’s root account, effectively nullifying the isolation guarantees that cloud‑native architectures depend on. This vulnerability is especially acute for workloads still using cgroups v1 or granting containers elevated capabilities. Enterprises should audit their container runtimes, migrate to cgroups v2 where possible, and apply the patched kernel versions listed by CISA to mitigate the risk of a container breakout.

Beyond immediate remediation, the KEV listings have compliance implications. Under the BOD 22‑01 directive, any federal entity must either patch the identified software or cease its use by the June 5 deadline, a timeline that cascades to contractors and partners handling government data. Private sector firms, particularly those in critical infrastructure, often mirror these standards to demonstrate robust cybersecurity posture. Proactive measures—such as automated patch management, continuous vulnerability scanning, and hardened container configurations—will not only satisfy regulatory expectations but also reduce the attack surface against increasingly sophisticated threat actors.