CISA KEV Update: Active Exploitation of CVE-2022-0492 and CVE-2025-48595

On June 2, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog to include two significant security flaws impacting the Linux Kernel and the Android Framework. According to CISA, these vulnerabilities are being actively targeted by malicious actors, necessitating immediate remediation by both federal agencies and private sector organizations.

The inclusion of these vulnerabilities highlights a persistent trend where attackers leverage CVE entries that facilitate Privilege Escalation or Lateral Movement within a compromised environment. While one vulnerability dates back to 2022, its continued exploitation underscores the longevity of unpatched systems in high-value targets.

Technical Analysis: How to Detect CVE-2022-0492 Exploit

CVE-2022-0492 is a technical flaw in the Linux Kernel’s control groups (cgroups) v1 implementation. Specifically, it involves the release_agent file, which is used to execute a process when a cgroup becomes empty. The vulnerability arises because the kernel does not properly validate that the process attempting to write to the release_agent file possesses the necessary capabilities.

In containerized environments, this flaw is particularly dangerous as it allows for a container escape. If a container is run with root privileges (even without full capabilities), an attacker can write a malicious script path to the release_agent and trigger its execution on the host system. To identify potential abuse, the SOC should monitor for unauthorized writes to /sys/fs/cgroup/*/release_agent or suspicious kernel log entries related to cgroup modifications. Understanding how to detect CVE-2022-0492 exploit attempts requires deep visibility into system calls and container runtime behavior through EDR tooling.

CVE-2025-48595: Android Framework Vulnerability

The second addition, CVE-2025-48595, is an integer overflow vulnerability within the Android Framework. This CVSS 7.8 flaw can be triggered when the framework processes specifically crafted data, leading to memory corruption.

While the source material does not detail the exact TTP used by attackers, integer overflows in mobile frameworks typically serve as a stepping stone for an RCE or to bypass application sandboxing. The CVE-2025-48595 Android Framework exploit likely targets the media or system service layers, where complex data parsing occurs. Because this vulnerability is now in the KEV, it is highly probable that it is being used in targeted Phishing campaigns or via malicious applications intended to compromise mobile device integrity.

Linux Kernel Patch Guidance and Remediation

CISA’s Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these flaws within a specific timeframe. For broader industry participants, the following actions are recommended:

• Apply Kernel Updates: Administrators should follow established Linux Kernel patch guidance by updating to versions that transition away from cgroups v1 or incorporate the credential validation fix. If patching is not immediately feasible, disabling unprivileged user namespaces can mitigate some exploitation paths.
• Mobile Device Management: Ensure all Android devices are updated to the latest security patch level. Organizations should use Zero Trust principles to restrict network access for devices that are not running current firmware.
• Reviewing IoCs: Defenders should check their SIEM for any IoC related to known exploit kits that have integrated these vulnerabilities.

Failure to address these vulnerabilities leaves infrastructure exposed to reliable, high-impact exploitation methods that have already been proven effective in the field.