Vulnerability Intelligence Report — June 3, 2026
Coverage: June 2–3, 2026 | New CISA KEV additions: 2 | KEV deadlines today: 7 | KEV deadlines tomorrow: 3 | KEV deadlines June 5: 2
Previous reports: June 2, 2026 | June 1, 2026
Today — June 3, 2026 — seven CISA KEV remediation deadlines arrive simultaneously, headlined by Microsoft Defender (CVE-2026-41091, CVE-2026-45498). CISA added two new entries: an actively exploited Android Framework zero-day (CVE-2025-48595) and a Linux kernel cgroups privilege escalation (CVE-2022-0492), both due June 5. Google’s June 2026 Android bulletin patches 124 vulnerabilities including the exploited zero-day. Tomorrow brings three more KEV deadlines: Oracle WebLogic, Trend Micro Apex One, and Langflow.
Quick Reference — Most Important Vulnerabilities Today
Android Framework: CVE-2025-48595 (NEW CISA KEV, actively exploited zero-day, due June 5)
Linux Kernel cgroups: CVE-2022-0492 (NEW CISA KEV, LPE via cgroups v1, due June 5)
KEV DEADLINE TODAY: Microsoft Defender CVE-2026-41091 / CVE-2026-45498 + 5 legacy CVEs
KEV DEADLINE TOMORROW: Oracle WebLogic CVE-2024-21182 / Trend Micro CVE-2026-34926 / Langflow CVE-2025-34291
Windows Netlogon: CVE-2026-41089 (CVSS 9.8, Belgian govt exploitation warning)
Citrix NetScaler: CVE-2026-3055 (CVSS 9.8, large-scale exploitation per Fortinet)
ARMember Premium WP: CVE-2026-5076 (CVSS 9.8, plaintext password reset key exposed)
Android Framework — CVE-2025-48595 (Actively Exploited Zero-Day, NEW CISA KEV)
Software affected: Android 14 and later, across all device manufacturers. The vulnerability exists in the Android Framework component — the core system layer present on every Android device.
CVE: CVE-2025-48595 | CVSS 8.4 High | Integer Overflow leading to Local Privilege Escalation | Actively exploited in targeted attacks — confirmed by Google | Added to CISA KEV June 2, 2026 — federal agency deadline June 5, 2026
Fixable: Yes. The fix is included in the June 2026 Android security patch level (2026-06-01 and 2026-06-05 patch levels). Google has released the patches to Android OEMs. Device manufacturers are responsible for distributing the update to end-user devices — availability timing varies by manufacturer and carrier.
Business impact: An integer overflow vulnerability in the Android Framework allows local privilege escalation to gain code execution without requiring additional execution privileges or user interaction. Google has confirmed “limited, targeted exploitation” — the standard phrasing the company uses when commercial spyware vendors or nation-state actors are actively exploiting a vulnerability against specific high-value targets. The vulnerability is present in Android 14 and later, covering the vast majority of actively supported Android devices in both consumer and enterprise environments. Google’s June 2026 Android Security Bulletin patches a total of 124 vulnerabilities including 18 rated Critical — this is a substantial monthly update. While the exploitation is currently described as limited and targeted, the addition to CISA KEV with a June 5 deadline signals urgency. Enterprise environments using Android Enterprise (work profile) or Android-based mobile device management should prioritise this update across their managed fleet.
How to fix: Apply the June 2026 Android security update. On managed devices, push the update via your MDM/EMM platform. Verify the Android security patch level reads June 1, 2026 or later (Settings > About Phone > Android Security Patch Level). For unmanaged devices, instruct users to check for updates (Settings > System > System Update). Note that update availability depends on device manufacturer and carrier — Pixel devices typically receive updates first, while third-party OEMs may take days to weeks. In the interim, consider restricting access to sensitive enterprise resources from devices that have not yet received the June patch level through conditional access policies.
Recommended action: High priority for enterprise Android fleets. Push the June Android security update as soon as device manufacturers make it available. The confirmed exploitation — even if currently limited — combined with the CISA KEV deadline of June 5 makes this a time-sensitive item. Apply conditional access restrictions for unpatched devices if update distribution is delayed by your device OEM.
Official source: Android Security Bulletin — June 2026 | CISA KEV Catalog
Linux Kernel cgroups — CVE-2022-0492 (NEW CISA KEV, Privilege Escalation via cgroups v1)
Software affected: Linux kernel — all versions with cgroups v1 release_agent functionality enabled. The vulnerability exists in the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c.
CVE: CVE-2022-0492 | CVSS 7.8 High | Improper Authentication / Privilege Escalation | Added to CISA KEV June 2, 2026 — federal agency deadline June 5, 2026
Fixable: Yes. The kernel fix has been available since 2022. Most current Linux distributions ship with the patched kernel. However, the KEV addition signals that unpatched kernels — likely in legacy, embedded, or container-host systems — remain in production and are being actively targeted.
Business impact: Under certain circumstances, the cgroups v1 release_agent feature can be exploited to escalate privileges and bypass namespace isolation. The vulnerability allows a local attacker in a contained environment — such as a container with access to cgroups — to break out of namespace restrictions and gain elevated privileges on the host system. This is particularly relevant for containerised environments (Docker, Kubernetes, LXC) where cgroups v1 is still in use and containers are not adequately isolated from the cgroup filesystem. The fact that this 2022-vintage CVE is being added to KEV in June 2026 — four years after the fix — indicates that attackers are finding and exploiting unpatched Linux systems, likely in embedded devices, legacy server deployments, and container hosts that have deferred kernel updates. The June 5 deadline gives organisations two days to identify and patch affected systems.
How to fix: Apply the kernel update from your Linux distribution. For most current distributions (Ubuntu 20.04+, RHEL 8+, Debian 11+, etc.), the fix is already included in standard kernel packages — verify your kernel version is current. For container hosts, ensure the host kernel is patched — container escape vulnerabilities affect the host, not the container. In Kubernetes environments, audit your container runtime configuration to ensure cgroups v2 is used where possible, as cgroups v2 does not have the release_agent feature that enables this vulnerability.
Recommended action: Audit Linux systems — particularly container hosts, legacy servers, and embedded devices — for unpatched kernel versions. The 2022 patch date means many organisations should already be protected if they have maintained routine kernel updates, but legacy and air-gapped systems are at risk. Container hosts running cgroups v1 should be prioritised due to the container-escape potential.
Official source: NVD — CVE-2022-0492 | CISA KEV Catalog
KEV Deadline Watch — Seven Deadlines Today, Three Tomorrow
Today — June 3, 2026 (7 deadlines)
Microsoft Defender — CVE-2026-41091 and CVE-2026-45498. The most impactful of today’s deadlines. Verify Malware Protection Engine version 1.1.26040.8 across all Windows endpoints. CVE-2026-41091 allows local privilege escalation; CVE-2026-45498 enables denial of service. Both are remediated by the engine update distributed through Windows Update. Verify deployment coverage across your endpoint fleet — particularly on servers and VDI environments where update policies may differ from user workstations. Covered in full in the May 22 report.
Remaining today’s deadlines are legacy CVEs for which patches have been available for years: Microsoft Windows Server Service RPC buffer overflow (CVE-2008-4250, Conficker era — 18 years old), Microsoft DirectX QuickTime parser (CVE-2009-1537), Adobe Acrobat/Reader heap overflow (CVE-2009-3459), and two Microsoft Internet Explorer use-after-free vulnerabilities (CVE-2010-0249, CVE-2010-0806). These are included here for compliance tracking — the patches for all five have been available for over a decade.
Tomorrow — June 4, 2026 (3 deadlines)
Oracle WebLogic — CVE-2024-21182. T3/IIOP unauth access. Apply July 2024 CPU. Covered in the June 2 report and dedicated advisory.
Trend Micro Apex One — CVE-2026-34926. Pre-auth local LPE. Apply SP1 CP Build 18012 (on-premise) or agent build 14.0.20731 (SaaS). Covered in the May 22 report.
Langflow — CVE-2025-34291. CORS + token theft exploited by MuddyWater APT. Upgrade to 1.7.0. Covered in the May 22 report.
ARMember Premium (WordPress Plugin) — CVE-2026-5076 and CVE-2026-5073
Software affected: ARMember Premium — a WordPress membership and subscription plugin, all versions up to and including 7.3.1.
CVEs: CVE-2026-5076 | CVSS 9.8 Critical | CWE-287 (Insecure Password Reset) — the plugin stores a plaintext copy of the password reset key in the arm_reset_password_key user meta field alongside the standard hashed key WordPress core stores. An attacker with access to the database — through SQL injection, compromised backup, or other means — can extract the plaintext reset key and take over any user account. CVE-2026-5073 | CVSS 7.5 High | CWE-89 (SQL Injection) — the order parameter of the arm_directory_paging_action AJAX action is vulnerable to SQL injection due to insufficient escaping. Both published June 2, 2026.
Fixable: Yes. Update ARMember Premium to a version beyond 7.3.1.
Business impact: Two vulnerabilities disclosed simultaneously in a membership plugin create a dangerous chained attack scenario. CVE-2026-5073 (SQL injection) enables an attacker to read database contents including user data. Once the database is accessed, CVE-2026-5076 becomes exploitable: the plaintext password reset keys stored alongside user accounts allow instant account takeover for any user whose reset key was visible in the database — including administrators. The combination of database read access plus plaintext credential material is a full site compromise chain.
Recommended action: Update ARMember Premium immediately. The dual-vulnerability disclosure — SQL injection plus plaintext password reset storage — is a high-severity combination. Any WordPress site running this membership plugin should be patched today.
Official source: NVD — CVE-2026-5076 | NVD — CVE-2026-5073
Updates on Items from Previous Reports
Windows Netlogon — CVE-2026-41089 (CVSS 9.8, Belgian exploitation warning): Covered in the June 2 report and dedicated advisory. Patch domain controllers first.
Citrix NetScaler — CVE-2026-3055 (CVSS 9.8, large-scale exploitation): Covered in the June 2 report and dedicated advisory. Fortinet confirms ongoing large-scale exploitation. Patch immediately if you have not already.
Palo Alto PAN-OS — CVE-2026-0257 (KEV deadline passed June 1): Now two days past the deadline. Covered in the dedicated advisory.
Apache Solr — CVE-2026-44825 (hardcoded admin creds): Covered in the dedicated advisory. Delete template accounts or upgrade Solr.
IBM WebSphere — CVE-2026-8644/9311/9319: Covered in the dedicated advisory. Apply all three fixes in a single maintenance window.
Kirki WP Plugin — CVE-2026-8206 (CVSS 9.8): Covered in the dedicated advisory. Unauthenticated account takeover via password reset. “Tienduizenden WordPress-sites” affected per Dutch security advisory.
Drupal Core — CVE-2026-9082: Covered in the dedicated advisory. One week past the KEV deadline.
WP Maps Pro — CVE-2026-8732: Covered in the dedicated advisory. Attackers creating rogue admin accounts.
Ghost CMS — CVE-2026-26980 (700+ domains): Covered in the May 29 report. Update to Ghost 6.19.1.
SonicWall SSL-VPN — CVE-2024-12802: Covered in the May 29 report. Gen6: firmware + manual LDAP reconfig required.
FortiClient EMS — CVE-2026-35616 / FortiAuthenticator — CVE-2026-44277 / FortiSandbox — CVE-2026-26083: Three Fortinet CVEs covered in the May 29 report. All patch-now priority.
Exim — CVE-2026-45185 (CVSS 9.8): Covered in the May 29 report. Update to 4.99.3.
ChromaDB — CVE-2026-45829 (CVSS 10.0): Covered in the May 29 report. Do not expose API server to the internet.
Oracle REST Data Services — CVE-2026-46840 (CVSS 10.0): Covered in the May 30 report. Apply May 2026 CSPU.
CIFSwitch / 7-Zip / Starlette / Spectra / Simple History / GEO my WP / Nx Console / TanStack: All covered in dedicated advisories and previous reports. Refer to linked reports for full details.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
