🟢 CVE-2022-0492

CVE-2022-0492 is a Linux kernel privilege escalation vulnerability in the cgroups v1 release_agent feature that allows bypassing namespace isolation. This is a local exploit requiring existing access to a system or container, commonly used for Docker container escapes.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2022-03-03

Added to CISA KEV: 2026-06-02 1552 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2022-0492 is a high-severity privilege escalation vulnerability in the Linux kernel's `cgroup_release_agent_write` function within the `cgroup v1` subsystem [4] [1].

Active Exploitation and Threat Actor Usage
While originally patched in 2022, CVE-2022-0492 was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026, indicating that it is currently being exploited in the wild [2] [3]. Federal agencies in the United States were issued a remediation deadline of June 5, 2026, to address this vulnerability [2]. Specific threat actors associated with this recent activity have not been publicly detailed in the immediate reports.
Attack Method and Requirements
  • Method: The vulnerability stems from a missing permission check; the kernel fails to verify that the process attempting to set the `release_agent` file has the necessary administrative privileges (specifically the `CAP_SYS_ADMIN` capability) [1].
  • Access Type: This is a local vulnerability. It requires the attacker to already have a foothold on the system [2].
  • Exploitation Requirements: It is primarily used for container escape. However, not all containers are vulnerable; exploitation typically requires a "privileged" container or one with permissive security profiles that allow the necessary operations on cgroups [1] [3].
Impact
Successful exploitation allows an attacker to break out of namespace isolation and escalate privileges on the host system, effectively moving from a restricted container environment to the underlying host kernel/system level [2] [5].
Availability and Mitigation
  • Proof-of-Concept: Because the vulnerability is well-documented and has been known since 2022, various proof-of-concept (PoC) scripts and research materials are widely available in the security community [1].
  • Patch Status: The vulnerability was patched in the Linux kernel in 2022. Systems running kernel versions prior to the fix are vulnerable. Users are advised to update to patched kernel versions (typically 5.17 or later, depending on the distribution) and implement security hardening (such as restricting privileged containers) to mitigate the risk [3].

Sources

  1. New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can...

    CVE-2022-0492 stems from a missing verification. Linux simply didn't check that the process setting the release_agent file has administrative privileges (i.e. the CAP_SYS_ADMIN capability). The very short patch for CVE-2022-0492 (lines 2-8 below) best explains the vulnerabilityNot every container ca…

  2. Linux Kernel cgroups Privilege Escalation (CVE-2022-0492)

    Originally patched in 2022, the vulnerability has now been added to the CISA Known Exploited Vulnerabilities catalog on June 2, 2026 — four ... A privilege escalation vulnerability in the Linux kernel’s cgroups v1 subsystem, tracked as CVE-2022-0492, allows local attackers to break out of namespace…

  3. Linux container-escape flaw CVE-2022-0492 exploited; CISA orders a fix

    Linux cgroups v1 flaw CVE-2022-0492 is being exploited and CISA added it to KEV. A missing permission check on release_agent enables container escape and privilege escalation. Escape needs conditions like privileged containers. Update to kernel 5.17+ and harden.

  4. CVE-2022-0492 Detail - NVD

    A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, ... CVE-2022-0492 Detail. Description. A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-…

  5. Critical Linux Kernel Vulnerability CVE-2022-0492 Exploited in the ...

    CVE-2022-0492 allows attackers to escalate privileges and bypass namespace isolation. The vulnerability affects cgroups v1, a critical feature ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed