U.S. CISA adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
June 03, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2022-0492 (CVSS score of 7.0) Linux Kernel Improper Authentication Vulnerability
• CVE-2025-48595 Android Framework Integer Overflow Vulnerability

The first flaw added to the catalog, tracked as CVE-2022-0492, can be exploited by an attacker to escape a container to execute arbitrary commands on the container host.

The issue is a privilege escalation flaw affecting the Linux kernel feature called control groups (groups), that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

The flaw resides in the cgroups v1 release_agent functionality which is executed after the termination of any process in the group.

The root cause of the problem is the cgroups implementation in the Linux kernel that did not properly restrict access to the feature. A local attacker could exploit this vulnerability to gain administrative privileges.

The vulnerability was discovered by the security researchers Yiqi Sun and Kevin Wang.

The second flaw added to the catalog, tracked as CVE-2025-48595 (CVSS score of 8.4), affects devices running Android 14, 15, 16, and Android 16 QPR2. According to Google and the Android Security Bulletin, the issue is caused by an integer overflow that can lead to code execution and privilege escalation on a vulnerable device. An attacker could exploit the flaw to gain elevated access to the system without requiring additional privileges.

Google has confirmed that there are indications the flaw is being exploited in what it describes as “limited, targeted exploitation.”

“There are indications that CVE-2025-48595 may be under limited, targeted exploitation.” reads the advisory.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by June 5, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)