CISA Orders 3-Day Patch for Android and Linux Flaws Under Attack

CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on June 2, forcing federal agencies to patch Android devices and Linux systems within three days. The unusually tight deadline reflects confirmed exploitation of both flaws in the wild.

The vulnerabilities—CVE-2025-48595 in Android and CVE-2022-0492 in Linux—target different platforms but share a common impact: both enable attackers to escalate privileges and gain elevated system access.

Android Framework Integer Overflow

CVE-2025-48595 is a high-severity integer overflow vulnerability in the Android Framework carrying a CVSS score of 8.4. The flaw allows local attackers to escalate privileges without requiring any user interaction.

Google acknowledged the vulnerability "may be under limited, targeted exploitation" when releasing June 2026 security patches. The company did not disclose specific details about the attacks or threat actors involved.

Affected versions:

• Android 14
• Android 15
• Android 16
• Android 16-QPR2

The attack vector being local suggests exploitation arrives through malicious applications that users have been tricked into installing, or as a second stage after initial compromise through a separate vulnerability. Security researchers note integer overflows in Android can create pathways for code execution at system privilege levels, granting attackers full device control.

Pixel devices received patches immediately. Other manufacturers—Samsung, OnePlus, Motorola, and others—typically require days to weeks for testing before deployment.

Linux cgroups Container Escape

CVE-2022-0492 is a privilege escalation vulnerability in the Linux kernel's cgroups v1 implementation. Despite being discovered in 2022, CISA added it to the KEV catalog only now after confirming active exploitation.

The flaw exists in the cgroup_release_agent_write() function within kernel/cgroup/cgroup-v1.c. According to Palo Alto Networks Unit 42, the kernel failed to verify that processes writing to the release_agent file possess administrative privileges (CAP_SYS_ADMIN capability).

This oversight created what researchers called "one of the simplest Linux privilege escalations discovered in recent times."

Attackers can exploit the flaw to:

• Escape container environments to the host system
• Bypass namespace isolation
• Gain root-level access on vulnerable hosts

Affected kernel versions:

• Linux 2.6 through 4.20
• Linux 5.5 through 5.17

We previously covered another severe Linux kernel privilege escalation that went undetected for 19 years—a pattern showing how deep-seated kernel vulnerabilities continue surfacing in enterprise environments.

Who Is Protected

Not all Linux deployments are vulnerable to container escape via CVE-2022-0492. Three security mechanisms block exploitation:

AppArmor: Prevents mounting cgroupfs, blocking the attack chain SELinux: Same protection—denies cgroupfs mounting Seccomp: Blocks the unshare() syscall needed to create user namespaces

Default container runtime configurations in Docker and Kubernetes typically enable at least one of these protections. However, organizations running containers with relaxed security policies or custom configurations should audit their deployments immediately.

Patched kernel versions include 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+.

Federal Deadline: June 5

Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate both vulnerabilities by June 5, 2026—just three days from the KEV addition.

The compressed timeline indicates CISA views active exploitation as an immediate threat rather than theoretical risk. Agencies that cannot patch in time must implement compensating controls or remove affected systems from federal networks.

While BOD 22-01 applies only to federal agencies, CISA strongly urges all organizations to prioritize KEV catalog entries. The agency has been aggressively expanding the catalog, which now contains over 1,200 vulnerabilities confirmed as exploited in real attacks.

Recommended Actions

For Android:

1. Check Settings > About Phone > Android Security Patch Level
2. Install 2026-06-01 or 2026-06-05 security patches if available
3. Organizations should push updates through MDM solutions immediately
4. Consider restricting app installations to managed sources until patched

For Linux:

1. Verify kernel version against affected ranges
2. Update to patched kernel releases
3. Confirm AppArmor, SELinux, or Seccomp is enabled on container hosts
4. Audit container runtime configurations for disabled security features

The timing of these additions—both platforms targeted simultaneously—suggests attackers may be combining mobile and server-side exploitation in coordinated campaigns. Organizations running mixed Android device fleets alongside Linux infrastructure should treat this as a unified remediation effort rather than separate patching exercises.