Skip to main content
TechnologyJun 4, 2026· 2 min read

Zero-click Vulnerability on Android, Linux Also Under Attack: CISA Sounds the Alarm

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its active threat registry, accessible directly on the official CISA portal. These are security flaws that directly impact the Android operating system and the Linux kernel, for which active attacks have already been detected in the field.

The first vulnerability added, identified as CVE-2025-48595, is a high-severity integer overflow issue located in the Android Framework. This flaw allows for privilege escalation on the mobile device. According to the latest Google security bulletin, the vulnerability affects Android versions from 14 to 16 and does not require any user interaction to be exploited, making it a formidable zero-click attack.

CISA warns: new vulnerabilities discovered on Android and Linux. Although Google has confirmed that the flaw is currently subject to targeted and limited exploitation in real-world scenarios, no further technical details or specific information regarding related incidents have been released. The issue has been addressed with the release of security patches in June 2026 (patch levels 2026-06-01 and 2026-06-05). For users of the green robot, updating their devices is a top priority to avoid personal data compromise.

The second security flaw listed in CISA's KEV is tracked as CVE-2022-0492, a high-severity privilege escalation defect affecting various branches of the Linux kernel, specifically the branches from 2.6 to 4.20 and from 5.5 to 5.17. The problem lies in the function cgroup_release_agent_write() of the cgroups v1 subsystem. Due to insufficient authentication checks, a local malicious user can exploit this weakness to bypass namespace isolation, elevate their privileges, and potentially escape from a container to gain root access to the entire host system.

Previous analyses conducted by Aqua Security and Palo Alto Networks, cited by Bleeping Computer, indicate that this vulnerability primarily impacts containerized environments using cgroups v1, with an extremely high level of risk when the containers already enjoy high capabilities. The Linux kernel branches that introduce the necessary fixes for this vulnerability are: 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+. Those managing server infrastructures based on outdated Linux distributions must apply these patches to protect the stability of the entire corporate infrastructure.

The inclusion of these two threats in the KEV registry requires all U.S. federal agencies, bound by directive BOD 22-01, to apply the corrections provided by their respective vendors or, alternatively, to cease using the vulnerable software by the June 5 deadline. Although the formal obligation concerns American public institutions, CISA's warning acts as a true alarm bell for critical infrastructures and large enterprises worldwide. Fortunately, neither of the two vulnerabilities has been reportedly exploited in campaigns linked to ransomware groups, an indicator that CISA uses to highlight maximum emergency scenarios.