Weekly CVE Digest 2026-06-09: Linux, Android, Magento, SolarWinds

Four CVEs landed on the CISA Known Exploited Vulnerabilities catalog between June 2 and June 5, 2026. Two target widely deployed infrastructure: Linux kernel container hosts and Android devices. One hits e-commerce servers running a popular Magento extension. One crashes file-transfer appliances exposed on the public internet.

The pattern this week is consistent with the past several months. A four-year-old Linux CVE with a near-perfect EPSS percentile resurfaces because unpatched hosts still exist at scale. A Google-confirmed zero-day with low EPSS but targeted deployment suggests spyware-style use rather than mass automation. An unauthenticated RCE in a widely installed Magento module gets added within days of exploitation being observed. And a DoS flaw in SolarWinds Serv-U earns a KEV entry because 12,000 instances are reachable from the public internet. None of these are theoretical.

Three acronyms run through this digest. CVSS scores how damaging a flaw would be if someone exploited it, on a 0 to 10 scale. EPSS estimates the chance it gets exploited in the next 30 days, shown as a probability and a percentile against every other tracked CVE. KEV is CISA’s catalog of flaws with confirmed real-world attacks behind them. Severity and likelihood are not the same thing: a 9.8 that nobody is attacking can wait behind a 7.5 that is already in active use. The full method is in our CVSS vs EPSS vs KEV breakdown.

What hit KEV this week

CISA adds CVEs under Binding Operational Directive 22-01, which requires Federal Civilian Executive Branch agencies to remediate within a fixed window. Those deadlines are a useful external benchmark for any team that needs a defensible reason to escalate a patch to an emergency window.

CVE-2022-0492: Linux Kernel cgroups v1 Privilege Escalation

Added to KEV: June 2, 2026. FCEB deadline: June 5, 2026.

CVSS base score: 7.8 (High). EPSS: 34% (97th percentile).

The cgroups v1 release_agent feature in the Linux kernel allows an unprivileged local user to write an arbitrary filesystem path into the release agent file. When the last process in that cgroup exits, the kernel executes that path as root. From inside a container with cgroups v1 mounted, an attacker can escape to the host with full root privileges using a sequence that takes under a minute: mount a cgroup v1 memory controller, create a child cgroup, write the payload path to release_agent, set notify_on_release, spawn and kill a process in the cgroup.

The CVE was patched in 2022. The 97th percentile EPSS score in June 2026 reflects one fact: unpatched container hosts running cgroups v1 are being found and exploited at scale, four years after the fix shipped. CISA adding a 2022 CVE to KEV is not a housekeeping exercise. It is a signal that attackers have standing tooling for this vector and are using it.

Mitigation: switch to cgroups v2, which is the default in modern distributions. Verify that no cgroups v1 controllers are mounted inside running containers. Apply Seccomp and either AppArmor or SELinux profiles to restrict what container workloads can mount.

CVE-2025-48595: Android Framework Integer Overflow

Added to KEV: June 2, 2026.

CVSS base score: 8.4 (High). EPSS: 0.5% (68th percentile).

The low EPSS and the KEV listing are not contradictory. They describe different things. EPSS reflects a low probability of broad exploitation; the KEV listing reflects confirmed targeted exploitation. That combination is a fingerprint of surveillance-tool deployment: a small number of sophisticated actors, a large pool of potential victims who have not yet applied the June 2026 Android Security Update, and a window that lasts as long as the patch lag does.

The integer overflow is in the Android Framework and affects Android 14, 15, and 16. A locally installed application with no special permissions sends a malicious intent carrying a large integer value to a vulnerable Framework service. The integer overflows, causing the service to allocate a zero-byte buffer and copy a large payload into it. A ROP chain in that payload disables SELinux enforcement or spawns a root shell. The attacker gains system-level privileges with access to all user data and device functions.

Fix: apply the June 2026 Android Security Update. For enterprise MDM environments, treat this as a 48-hour compliance window on corporate-owned devices, not the default monthly cycle.

CVE-2026-45247: Mirasvit Full Page Cache Warmer Deserialization (Magento / Adobe Commerce)

Added to KEV: June 3, 2026.

CVSS base score: 9.8 (Critical). EPSS: 6.1% (91st percentile).

This is unauthenticated remote code execution via PHP object deserialization in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce, all versions before 1.11.12. The attack path requires a single HTTP request. A base64-encoded serialized PHP object in the CacheWarmer cookie reaches the extension without validation. A gadget chain from the application’s dependency tree executes arbitrary commands under the web server context.

No authentication is required. Active exploitation has been observed in campaigns targeting gaming platforms and business e-commerce sites, with the US, UK, France, and Australia as the most targeted regions. The exploitation pattern uses automated scanning to identify unpatched Magento instances followed by payload delivery. CISA added the CVE three days after the patch shipped, which means attackers were exploiting it before most administrators had time to apply the fix.

Fix: update to Mirasvit Full Page Cache Warmer version 1.11.12 or later, released May 25, 2026. If immediate patching is blocked, disable the extension and implement a WAF rule blocking base64-encoded serialized PHP payloads in cookie values.

CVE-2026-28318: SolarWinds Serv-U Uncontrolled Resource Consumption

Added to KEV: June 5, 2026. FCEB deadline: June 19, 2026.

CVSS base score: 7.5 (High). EPSS: 6.7% (91st percentile).

An unauthenticated attacker can crash SolarWinds Serv-U by sending a crafted POST request with a Content-Encoding: deflate header containing a malformed compressed payload. During decompression, the Serv-U service exhausts system resources and terminates. No authentication is needed. No user interaction is needed. The attack requires only network access to the Serv-U listener.

The DoS classification may understate the operational impact in practice. Serv-U is deployed as a managed file transfer appliance in healthcare, government, and financial services environments. A targeted crash during a scheduled transfer window creates downstream compliance gaps and operational failures beyond the crash itself. Shodan indexed over 12,000 Serv-U instances on the public internet at the time of KEV listing.

Fix: upgrade to SolarWinds Serv-U 15.5.4 Hotfix 1. For environments that cannot patch immediately, restrict inbound access to Serv-U to known partner IP ranges at the network perimeter.

What to change in your queue this week

This week’s KEV additions span four distinct attack surfaces: container infrastructure, mobile devices, e-commerce servers, and file transfer appliances. All four have fixes available. All four are confirmed exploited.

Concrete steps:

1. Linux container hosts: audit all container workloads for cgroups v1 mounts. Apply kernel patches where available and enforce cgroups v2 for new workloads. Verify that AppArmor or SELinux profiles are enforced, not in permissive mode.

2. Android fleet: enforce a 48-hour compliance window for the June 2026 Android Security Update on corporate-owned devices. Personal devices accessing corporate mail or VPN need enrollment or quarantine enforcement to close the same gap.

3. Magento and Adobe Commerce: run composer show mirasvit/module-cache-warmer against every e-commerce instance today. Any version below 1.11.12 is an open RCE vector with active exploitation behind it. Update or disable.

4. SolarWinds Serv-U: apply Hotfix 1 on every instance before June 19. Remove public internet exposure for Serv-U listeners where the transfer endpoints can be scoped to known partner addresses.

KEV is a short list by design. This week it added four CVEs confirmed to be in active attacker tooling. Clearing all four removes known exploitation vectors. That is what the list is for, and it is the argument for sorting your patch queue by KEV status before anything else.