CISA Adds Actively Exploited Vulnerabilities to KEV Catalog
- Jun 3
- 2 min read
Key Findings
CISA added two actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog requiring immediate remediation
CVE-2022-0492 affects Linux Kernel with CVSS 7.8, enabling privilege escalation and container escape attacks
CVE-2025-48595 targets Android 14 and later with CVSS 8.4, allowing arbitrary code execution with elevated privileges
Federal agencies must patch both vulnerabilities by June 5, 2026 under Binding Operational Directive 22-01
Both flaws are currently weaponized by threat actors in active attacks
Background
The Cybersecurity and Infrastructure Security Agency regularly tracks security vulnerabilities being actively exploited in the wild through its Known Exploited Vulnerabilities catalog. This list serves as a critical reference for defenders prioritizing patch deployment. Recently, CISA identified two new additions that pose immediate threats to both enterprise infrastructure and mobile endpoints. The agency mandates that Federal Civilian Executive Branch agencies address these flaws before established deadlines, with private sector organizations strongly encouraged to follow the same timeline.
Linux Kernel Namespace Isolation Bypass
CVE-2022-0492 represents a privilege escalation vulnerability in the Linux Kernel's cgroups v1 feature. The flaw exists in the cgroup_release_agent_write function within the subsystem code and carries a CVSS severity score of 7.8. Attackers exploit this by misusing the cgroups v1 release agent feature under specific operational conditions.
The vulnerability allows local attackers to escalate their privileges unexpectedly and bypass container namespace isolation boundaries entirely. This means adversaries can break out of containerized environments and gain direct access to the host system. Organizations running containerized workloads or cloud infrastructure using namespace isolation face significant risk if systems remain unpatched.
Android Framework Privilege Escalation
CVE-2025-48595 impacts Android devices running version 14 or later and represents a high-severity integer overflow vulnerability in the Android Framework. With a CVSS score of 8.4, the flaw allows local attackers to execute arbitrary code with elevated system privileges without requiring additional user permissions.
Google confirmed limited, targeted exploitation is already occurring in the wild. The June 2026 Android security update addresses this vulnerability alongside 123 other flaws across the mobile ecosystem. Organizations managing Android devices in corporate environments must deploy these patches urgently to prevent unauthorized system access.
Enforcement and Remediation Requirements
Federal agencies face strict compliance deadlines under Binding Operational Directive 22-01. All identified vulnerabilities must be remediated by June 5, 2026. These flaws represent frequent attack vectors used by malicious actors to gain initial system access and bypass security protections.
Private sector organizations should treat these deadlines as industry best practices rather than optional guidelines. Unpatched systems expose enterprise networks to severe operational disruption and unauthorized access to sensitive data. Prompt patching remains the most effective mitigation strategy against active exploitation campaigns.
Sources
https://securityonline.info/cisa-kev-actively-exploited-vulnerabilities/
https://securityaffairs.com/193067/security/u-s-cisa-adds-android-and-linux-kernel-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://securityaffairs.com/193027/security/u-s-cisa-adds-oracle-weblogic-flaw-to-its-known-exploited-vulnerabilities-catalog.html
https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
https://x.com/the_yellow_fall/status/2061993101330432383

Comments