CISA added two high-severity vulnerabilities to its Known Exploited Vulnerabilities Catalog on June 2, 2026, including a Linux kernel privilege-escalation flaw dating back to 2022 and a newly disclosed integer overflow in the Android Framework. The move puts federal agencies and private organizations on notice: patch these within three weeks or risk active exploitation.

This isn’t the first time CISA has spotlighted flaws outside the Windows ecosystem. But for Windows administrators managing heterogeneous infrastructure—say, Windows servers alongside Linux containers or Android devices deployed in the field—the latest KEV update is a wake-up call.

Both CVE-2022-0492 and CVE-2025-48595 have been observed in active attacks, according to CISA. While neither directly affects Windows, the cross-platform nature of modern enterprise environments means that a compromise on a connected Linux or Android system can serve as a stepping stone to broader network intrusion, including Windows domain controllers or file shares.

Here’s what you need to know about the two vulnerabilities and how to secure your systems.

What is the CISA KEV Catalog?

The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog is a living list of CVEs that federal civilian executive branch agencies must patch by a binding operational directive (BOD 22-01). Although the mandate applies only to federal agencies, CISA strongly urges all organizations to prioritize these fixes. Vulnerabilities added to KEV carry a due date—typically three weeks from the listing date—and are accompanied by evidence of active exploitation in the wild.

The catalog covers software and devices from all vendors. Over the years, it has included everything from Exchange Server zero-days to Fortinet VPN bugs and, increasingly, Linux kernel and mobile OS flaws. For the week of June 2, 2026, the spotlight falls on an old container-escape bug and a fresh Android Framework hole.

CVE-2022-0492: The Linux Kernel cgroups Flaw Resurfaces

Technical Breakdown

CVE-2022-0492 is a privilege-escalation vulnerability in the Linux kernel’s control groups (cgroups) v1 implementation. Disclosed publicly in January 2022 and patched shortly thereafter, it allows a process inside a container to break out and execute code as root on the host system.

The flaw lies in the release_agent feature of cgroups v1. When a cgroup becomes empty, the kernel invokes a user-defined release agent binary—specified via the release_agent file—with full root privileges. The problem? The feature lacked sufficient namespace isolation. An unprivileged user who can write to a cgroup directory inside a container can set a malicious release_agent path pointing to a binary within the container’s own filesystem. When the cgroup is released, the kernel executes that binary on the host as root, bypassing all container boundaries.

Exploitation requires that the container be granted write access to a cgroup filesystem, which is the default Docker configuration unless --security-opt no-new-privileges or other hardening measures are applied. Attackers who have compromised a container—through a vulnerable web app, for instance—can use CVE-2022-0492 to pivot to the underlying host.

Active Exploitation and Impact

CISA added CVE-2022-0492 to KEV on June 2, 2026, indicating it is being weaponized in real-world attacks. While the vulnerability has been known for over four years, many organizations continue to run unpatched or misconfigured Linux hosts. Public proof-of-concept exploits have existed since 2022, and security firms have documented its use by ransomware gangs and cryptominers to escalate from a compromised container to the host node.

The impact is severe: full host compromise, which can lead to lateral movement, data exfiltration, and deployment of additional malware. In a Windows shop, a compromised Linux host that shares credentials or has SMB mounts can become a beachhead for attacking Windows servers.

Patching and Mitigation

The fix for CVE-2022-0492 was backported to multiple stable kernel branches (5.10, 5.15, 5.16) in early 2022. Any Linux kernel version released after February 2022 should include the patch. To verify, check your distribution’s changelog for the commit 1f4e03c9a5b1 or simply ensure you are running a supported, up-to-date kernel.

Additional mitigations include:
- Disabling cgroups v1 entirely if not needed (cgroup_no_v1=all kernel boot parameter).
- Using cgroups v2, which does not have the release_agent feature.
- Applying security profiles that prevent container writes to cgroup directories, such as seccomp or AppArmor profiles that block the unshare and mount syscalls.
- Running containers in rootless mode or with --privileged=false.

Given the KEV designation, organizations subject to BOD 22-01 must patch within three weeks—by June 23, 2026. All others should treat this as a top priority, especially if containers are part of production infrastructure.

CVE-2025-48595: Integer Overflow in Android Framework

Technical Details

CVE-2025-48595 is a newly disclosed integer-overflow vulnerability in the Android Framework, one of the core software layers that handles system services, activity management, and inter-process communication. The flaw arises when processing a specific IPC (inter-process communication) call with a crafted integer value that overflows during a bounds check, potentially leading to a heap buffer overflow and subsequent code execution.

Google’s Android Security Bulletin for June 2026 flagged this as a critical severity remote code execution (RCE) bug. Exploitation does not require user interaction; a malicious application or a specially crafted web page leveraging a companion browser flaw can trigger the overflow, though in practice an attacker might combine it with a privilege-escalation exploit to gain elevated permissions.

Exploitation Status

CISA’s addition of CVE-2025-48595 to KEV confirms that threat actors are actively using it in the wild. While details of the campaigns are scarce, mobile device compromises often target sensitive enterprise data on bring-your-own-device (BYOD) or corporate-owned phones. Android Framework RCEs are especially dangerous because they can be exploited remotely and often affect a wide range of devices across multiple manufacturers.

Affected Devices and Patching

Google’s bulletin indicates that the vulnerability affects Android versions 12 through 14, with the severity being highest on versions before Android 14. Patches were issued as part of the June 2026 Android security patch level (SPL), which device manufacturers must roll out individually. The KEV deadline for this CVE is also June 23, 2026.

Enterprise mobility management (EMM) and mobile device management (MDM) solutions should push the update immediately. Since Android patch adoption varies widely, organizations should verify patch levels on all managed devices and consider isolating unpatched phones from sensitive resources.

Why These CVEs Matter to Windows Administrators

At first glance, a Linux kernel bug and an Android flaw might seem irrelevant to a Windows-focused IT team. But the reality of enterprise networks is that they are massively heterogeneous. A study by Flexera in 2025 found that 68% of enterprises run a mix of Windows and Linux server workloads, and 81% support both Windows and Android endpoint fleets.

Here’s how these vulnerabilities can bite Windows environments:

  • Containerized workloads on Windows hosts: Many organizations run Linux containers on Windows Server via WSL2 (Windows Subsystem for Linux 2) or nested virtualization. A container-escape exploit on the Linux guest kernel can compromise the Windows host. Mitigating CVE-2022-0492 inside the Linux kernel is essential even if your main OS is Windows.
  • Mixed-mode server farms: A compromised Linux machine often has network access to Windows file servers, domain controllers, or Azure AD Connect sync servers. Attackers move laterally, harvesting credentials and escalating privileges. Patching Linux hosts that coexist with Windows infrastructure is crucial.
  • Android devices in the enterprise: Employees use Android phones to access Office 365, Teams, SharePoint, and other Windows-centric cloud apps. An RCE on an Android device can be used to steal OAuth tokens, two-factor authentication codes, and corporate data, paving the way for an intrusion into the Windows environment.

Security teams should ensure that vulnerability scanners cover all OS platforms and that patching workflows include Linux and Android as first-class citizens alongside Windows.

How to Respond: A Prioritized Checklist

  1. Identify exposed systems: Scan all Linux hosts for the release_agent vulnerability. Tools like Trivy, Qualys, or even a simple kernel version check will reveal unpatched systems.
  2. Apply kernel updates immediately: For servers, apply the latest stable kernel from your distribution. For containers, rebuild images with a patched base OS and push them through your CI/CD pipeline.
  3. Enforce Android patches: Use MDM to push the June 2026 security patch to all Android devices. Report non-compliance to management; if devices cannot be patched (e.g., end-of-life models), block their access to corporate apps.
  4. Audit container orchestration: If you use Kubernetes, ensure your pods run with minimal privileges. Consider deploying PSPs (Pod Security Policies) or their successors that block write access to cgroup filesystems.
  5. Review KEV regularly: CISA updates the catalog almost daily. Integrating KEV data into your SIEM or patch management tool can help you stay ahead of emerging threats.

The Bigger Picture

CISA’s KEV catalog has become the de facto priority list for enterprise patch management, much like Microsoft’s Patch Tuesday for the Windows world. The June 2 update serves as a reminder that effective defense requires vigilance across every operating system in your fleet. With a three-week deadline, the clock is ticking.

Even if your organization isn’t bound by BOD 22-01, the business case is clear: these vulns are being actively exploited, and failure to patch invites costly breaches. Take a few hours now to patch—you might save days of recovery later.