CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda
CISA added exploited Android and Linux vulnerabilities to its Known Exploited Vulnerabilities catalog. The Android flaw affects Android 14 through 16, while the Linux issue centers on older kernel branches and cgroups v1 container environments. The immediate test is whether agencies and infrastructure operators apply vendor updates or mitigations by CISA's June 5 deadline.
CISA Adds Two Exploited Bugs to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, putting Android and Linux patch timing back in focus for agencies and large infrastructure operators.
The Android entry, CVE-2025-48595, is a high-severity integer overflow vulnerability in the Android Framework.
Google's security bulletin says the issue affects Android 14 through 16 and requires no user interaction to exploit.
Google said the flaw may be under limited targeted exploitation in the wild, but did not provide incident details or technical information about the activity.
Google addressed the Android issue in the June 2026 security patch levels dated 2026-06-01 and 2026-06-05.
For security teams, the practical risk is privilege escalation without user interaction, which raises the value of timely device patching and fleet-level update checks.
Linux Container Risk Centers on Privilege Escalation
The second KEV addition, CVE-2022-0492, is a high-severity privilege escalation flaw in older Linux kernel branches.
The vulnerable path sits in the cgroupreleaseagent_write() function of the cgroups v1 subsystem.
Cgroups, or control groups, are a Linux mechanism for limiting and organizing process resources; the flaw can let a local attacker cross namespace boundaries, gain higher privileges and move from a container toward root-level control of the host system.
Aqua Security and Palo Alto Networks previously linked the issue primarily to containerized environments using cgroups v1, especially when containers are granted elevated capabilities.
That makes the patch decision more than a server-maintenance item for organizations running container workloads.
The reader-risk control is straightforward: apply vendor-provided updates or mitigations, and review container privilege settings where cgroups v1 remains in use.
Deadline Creates the Operational Signal
CISA's KEV listing requires federal agencies covered by the BOD 22-01 directive to apply vendor-provided security updates and mitigations, or stop using the affected software.
CISA set the deadline for June 5.
The catalog also functions as a warning board for critical infrastructure entities and large organizations outside the federal mandate.
Neither vulnerability is marked as exploited by ransomware groups in CISA's entries, but the active-exploitation status is enough to move these bugs from routine vulnerability tracking into near-term remediation planning.
The next signal is whether device and Linux-container operators can close the patch gap before the vulnerabilities become broader operational risk.
