A1: $K$ is the result of applying a key derivation function to the hash of an output of the KYBER.CPAPKE.Enc() function concatenated with a hash of the message and public key. This can be seen on line 5 of the Kyber.CCAKEM.Enc() function specification (here $c$ is the output of KYBER.CPAPKE.Enc() per line 4). In KYBER.CCAKEM.Dec() the $K$ value returned is either the same as the value returned in KYBER.CCAKEM.Enc() or a fake value that is published if the $c$ is deemed to have been potentially maliciously generated.
A2: No, but the input $r$ to KYBER.CPAPKE.Enc() is now the output of a hash of the message and public key (see lines 3 and 4 of KYBER.CCAKEM.Enc()) rather than an arbitrary value.
The issue here is that (module) Learning with Errors schemes are prone to decryption failures and an adversary can gain information about private values based on these failures. In particular, if a CCA adversary maliciously crafts secret vectors and error values with larger values than the KYBER.CPAPKE.Enc() process permits, then failures are more likely to occur. The process in KYBER.CCAKEM.Enc() and KYBER.CCAKEM.Dec() (a variant of the a Fujisaki-Okamoto transform) ensures that the random secret and error values were legitimately created and checked to be legitimate as part of the decryption process.
