Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. [...]
Analysis Summary
# Vulnerability: Android Framework & Linux Kernel Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2025-48595 and CVE-2022-0492
- **CVSS Score:** High (Specific numerical scores not provided in text, but categorized as "High-severity")
- **CWE:**
- CVE-2025-48595: Improper Validation of Specified Quantity in Input (Integer Overflow)
- CVE-2022-0492: Improper Authentication / Privilege Escalation
## Affected Systems
- **Products:** Android OS and Linux Kernel
- **Versions:**
- **Android:** Versions 14 through 16.
- **Linux Kernel:** Multiple branches including 2.6 through 4.20, and 5.5 through 5.17.
- **Configurations:**
- **Linux:** Specifically impacts environments using **cgroups v1**. Containers granted elevated capabilities (e.g., CAP_SYS_ADMIN) are at higher risk.
## Vulnerability Description
- **CVE-2025-48595 (Android):** An integer overflow vulnerability within the Android Framework. If triggered, it allows an attacker to escalate privileges on the device without requiring any user interaction.
- **CVE-2022-0492 (Linux):** A flaw in the `cgroup_release_agent_write()` function of the cgroups v1 subsystem. Due to a lack of proper authentication checks, a local attacker can abuse the "release agent" feature to bypass namespace isolation. This allows for container escape and root-level access on the host system.
## Exploitation
- **Status:** Exploited in the wild (Both added to CISA KEV catalog). CVE-2025-48595 is under "limited targeted exploitation."
- **Complexity:**
- CVE-2025-48595: Low (No user interaction required).
- CVE-2022-0492: Medium (Requires local access/container execution).
- **Attack Vector:**
- CVE-2025-48595: Local/Framework-based.
- CVE-2022-0492: Local.
## Impact
- **Confidentiality:** High (Full system/host access potential)
- **Integrity:** High (Privilege escalation and unauthorized modifications)
- **Availability:** High (Potential for system-wide disruption or container termination)
## Remediation
### Patches
- **Android:** Update to security patch levels **2026-06-01** or **2026-06-05**.
- **Linux Kernel:** Update to the following versions (or newer):
- 4.9.301+
- 4.14.266+
- 4.19.229+
- 5.4.177+
- 5.10.97+
- 5.15.20+
- 5.16.6+
- 5.17-rc3+
### Workarounds
- **Linux:** Migrate from **cgroups v1** to **cgroups v2**, which provides improved security boundaries and lacks the vulnerable release agent mechanism in the same form.
- **Container Hardening:** Restrict container capabilities (avoid `--privileged` mode) and use Seccomp profiles to block writes to `release_agent` files.
## Detection
- **Indicators of Compromise:** Unexpected writes to `release_agent` files in cgroup mount points.
- **Detection Methods:**
- Monitor for unauthorized privilege escalation attempts in Android logs.
- Audit container activity for escapes or unusual root-level commands originating from containerized processes.
## References
- CISA Known Exploited Vulnerabilities Catalog: hxxp[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Google Android Security Bulletin: hxxps[://]www[.]bleepingcomputer[.]com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/
- Aqua Security Research: hxxps[://]www[.]aquasec[.]com/blog/new-linux-kernel-vulnerability-escaping-containers-by-abusing-cgroups/
- Palo Alto Networks Unit 42: hxxps[://]unit42[.]paloaltonetworks[.]com/cve-2022-0492-cgroups/