The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to network defenders by adding two high-severity security flaws to its Known Exploited Vulnerabilities (KEV) catalog. The flaws—one impacting the Android framework and the other affecting multiple Linux kernel architectures—are currently being weaponized by threat actors in the wild to bypass device defenses and hijack system access.
Under the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are legally required to apply vendor-supplied patches or implement alternative mitigations to secure their networks.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The Android Framework Integer Overflow Risk
The first added flaw, tracked as CVE-2025-48595, is a high-severity integer overflow vulnerability located within the core Android Framework component. Boasting a CVSS score of 8.4, the vulnerability enables an attacker to achieve local privilege escalation and execute unauthorized code on the host operating system.
According to security bulletins released by Google, the threat landscape surrounding this flaw is highly localized:
- Impacted OS Iterations: The bug directly compromises hardware running Android versions 14, 15, and 16.
- Zero User Interaction: Exploitation requires no deliberate action from the device owner to succeed.
- Targeted Exploitation: Google confirmed it has observed indications that the vulnerability is being leveraged in “limited, targeted exploitation” campaigns across the globe.
Google has formally addressed the risk by rolling out patches across its initial security patch levels.
The Linux Kernel cgroups Isolation Escape
The second security flaw, tracked as CVE-2022-0492, carries a CVSS score of 7.0 and targets an improper authentication logic gap within the Linux kernel architecture. Specifically, the vulnerability resides in the cgroup_release_agent_write() handling function inside the control groups (cgroups) v1 subsystem—a fundamental feature tasked with limiting and isolating computing resource allocations for collections of host processes.
Because the Linux kernel implementation historically failed to enforce strict verification barriers around this feature, a local attacker can exploit the loophole to escalate privileges. In virtualized or containerized infrastructure, this allows threat actors to trivially break out of container isolation frameworks and achieve full administrative root access directly on the underlying host operating system.
The threat primarily targets deployment architectures running legacy cgroups v1 profiles, presenting a critical vector when compromised processes or CI/CD pipelines hold elevated configurations.
Remediation Mandates and Enterprise Timelines
Due to the immediate operational risks associated with these flaws, CISA has set an aggressive patching deadline requiring complete remediation. Security experts advise that while the mandate is technically binding for federal networks, private sector enterprises should follow suit with equal urgency to protect critical cloud frameworks and endpoint hardware pools.
Corporate IT teams managing Linux infrastructure are urged to upgrade to patched kernel branches or fully transition workloads over to cgroups v2. Concurrently, enterprise mobile fleet administrators must ensure all Android-powered assets are updated to verify they are running protected security baselines.
