Overview
CVE-2022-0492 is a high-severity privilege escalation vulnerability in the Linux kernel affecting the cgroups v1 release_agent feature. The flaw allows a local attacker — or a process running inside a container — to escape container isolation and gain root-level access on the underlying host system.
CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026, confirming active exploitation in the wild.
| Field | Details |
|---|---|
| CVE ID | CVE-2022-0492 |
| CVSS Score | 7.8 (High) |
| Vector | Local / Privilege Escalation |
| Affected Versions | Linux Kernel < 5.17 |
| CISA KEV | Added June 2, 2026 |
| Patch Available | Yes — Kernel 5.17+ |
Technical Details
The vulnerability exists in how the Linux kernel handles the release_agent file within the cgroups v1 hierarchy. A privileged process (with CAP_SYS_ADMIN in the initial user namespace, or via a misconfigured container runtime) can write a controlled path to release_agent, which the kernel executes as root when the last process in a cgroup exits.
Attack Scenario
- Attacker identifies a cgroup v1 mount accessible from within a container
- Writes a malicious script path to the
release_agentcontrol file - Triggers the cgroup release mechanism by killing all processes in the cgroup
- The kernel executes the attacker-controlled script with root privileges on the host
This technique is known as a container escape and has been demonstrated in both Docker and Kubernetes environments where cgroups v1 is enabled.
# Simplified exploitation concept (cgroups v1 release_agent)
mkdir /tmp/escape_cgroup
mount -t cgroup -o memory cgroup /tmp/escape_cgroup
echo 1 > /tmp/escape_cgroup/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/cmd" > /tmp/escape_cgroup/release_agentImpact
A successful exploit allows an attacker to:
- Escape container isolation in Docker, Kubernetes, and LXC environments
- Execute arbitrary commands as root on the host system
- Pivot to the host network and other containers running on the same node
- Persist access by installing rootkits or backdoors on the host
Given that many cloud and production environments run Linux kernel versions predating the 5.17 patch, the exploitable attack surface is significant.
Affected Systems
- Linux Kernel versions prior to 5.17
- Distributions with cgroups v1 enabled (most enterprise Linux distributions)
- Container runtimes: Docker, Kubernetes, LXC, Podman (with rootful containers)
- Cloud environments using older kernel images
Remediation
Immediate Actions
- Update to Linux Kernel 5.17 or later — the upstream patch was merged in early 2022
- Disable cgroups v1 if not required: migrate to cgroups v2 (
cgroupv2) which is the default in modern kernels - Apply vendor patches for your distribution:
- Ubuntu:
linux-image-5.15.0-*series (patched in -52 and later) - RHEL/CentOS: Backport patches available via RHSA advisories
- Debian: Update to
linux 5.16.11-1or later
- Ubuntu:
- Restrict container capabilities: Avoid running containers with
CAP_SYS_ADMINor as--privileged - Enable seccomp/AppArmor profiles to restrict cgroup manipulation from within containers
Detection
Monitor for unusual release_agent modifications using audit rules:
# Audit rule to detect release_agent writes
-a always,exit -F arch=b64 -S write -F path=/sys/fs/cgroup/memory/release_agent -k cgroup_escapeCheck for suspicious cgroup mounts in container workloads with read-only or nosuid mount restrictions.