CISA Adds Linux Kernel cgroups Container Escape Flaw CVE-2022-0492 to Exploited Vulnerabilities Catalog
A container escape bug from 2022 is back in the defender spotlight because CISA now says attackers are exploiting it in the wild.
The issue, tracked as CVE-2022-0492, sits in the Linux kernel’s cgroups v1 implementation. In the wrong configuration, it turns a compromised container or local foothold into a path toward host-level control — exactly the kind of escalation attackers want after landing inside a Linux workload.
What Happened
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, warning that the flaw is being exploited in active attacks. Federal Civilian Executive Branch agencies have been ordered to apply vendor fixes or discontinue use of affected products by June 5, 2026.
CVE-2022-0492 is a Linux kernel privilege escalation vulnerability in the cgroups v1 subsystem, specifically in the cgroup_release_agent_write() function within kernel/cgroup/cgroup-v1.c. NVD describes the issue as a flaw that can allow use of the cgroups v1 release_agent feature to escalate privileges and unexpectedly bypass namespace isolation.
The vulnerability was originally disclosed in 2022 and is rated high severity, with a CVSS score commonly listed as 7.0. Its late arrival in CISA’s exploited catalog is the operational warning: old Linux kernel bugs remain useful when they map to real-world container misconfigurations, stale hosts, and incomplete patch coverage.
How the Container Escape Works
Control groups, or cgroups, are a Linux kernel feature used to limit and account for resource usage across groups of processes. Containers depend heavily on kernel isolation primitives like namespaces, cgroups, seccomp, AppArmor, and SELinux. CVE-2022-0492 matters because it attacks that boundary from the inside.
The vulnerable path involves the cgroups v1 release_agent mechanism. A release agent is executed by the host when the last process in a cgroup exits and notify_on_release is enabled. If an attacker can write a malicious release agent path from inside a vulnerable context, that execution can cross the container boundary and run on the host.
Aqua Security described the flaw as a weakness in handling release_agent in cgroups that could allow container escape under certain conditions. Unit 42’s earlier analysis also showed that exploitation depends heavily on container configuration, including whether the attacker has enough privilege inside the container to write the release agent and trigger execution.
Affected Kernel Branches and Fixed Versions
Reporting on CISA’s KEV update cites affected Linux kernel branches from 2.6 through 4.20 and from 5.5 through 5.17. Fixed kernel versions include 4.9.301 and later, 4.14.266 and later, 4.19.229 and later, 5.4.177 and later, 5.10.97 and later, 5.15.20 and later, 5.16.6 and later, and 5.17-rc3 and later.
Because Linux distributions backport security patches, defenders should not rely on upstream kernel version strings alone. The safer approach is to check the advisory and patched kernel package from the operating system vendor, then confirm the running kernel has actually been rebooted into the fixed build.
Why This Stands Out
This is not a remote unauthenticated bug that lets anyone on the internet directly seize a Linux host. The attacker typically needs local code execution or access to a container first. But in cloud environments, that is often the second step of an intrusion, not the hard part.
The real danger is post-compromise acceleration. A vulnerable container host can let an attacker move from a single workload into the underlying node, where Kubernetes credentials, mounted secrets, service account tokens, container runtime sockets, host paths, and neighboring workloads may become reachable.
That makes CVE-2022-0492 especially relevant for organizations running multi-tenant container platforms, CI/CD runners, self-hosted build systems, developer sandboxes, exposed container workloads, or Kubernetes clusters where privileged containers and relaxed security profiles still exist.
What Defenders Should Check
Patch the host kernel first. Container image updates alone will not fix a kernel vulnerability on the node. Prioritize Kubernetes worker nodes, internet-facing Linux servers, shared hosting systems, CI runners, and any host that runs privileged or semi-privileged containers.
Security teams should also review whether cgroups v1 is still in use, whether containers run with elevated capabilities such as CAP_SYS_ADMIN, whether seccomp is disabled, whether AppArmor or SELinux is absent or permissive, and whether untrusted workloads can mount or manipulate cgroup filesystems.
Detection should focus on suspicious writes to cgroup release_agent files, unexpected changes to notify_on_release, container processes mounting cgroup filesystems, unusual host-level process execution linked to container activity, and attempts to access sensitive host paths from inside containers.
Bigger Picture
CISA’s move is a reminder that container escape risk is rarely about one bug in isolation. Exploitation usually depends on a chain: an initial foothold, a permissive runtime profile, a vulnerable kernel, and a host that still trusts container boundaries more than it should.
That is why hardened defaults matter. Seccomp, AppArmor, SELinux, dropped Linux capabilities, read-only filesystems, non-root containers, and tight admission controls are not checkbox controls. They are the layers that decide whether a kernel flaw becomes a theoretical issue or a working escape path.
NeuraCyb's Assessment
CVE-2022-0492 is old, but its exploitation warning is current. The message for defenders is blunt: attackers do not care when a bug was patched; they care whether your nodes were patched, rebooted, and hardened. Any Linux container platform still relying on loose runtime permissions is carrying more risk than its vulnerability scanner may show.
References
CISA Known Exploited Vulnerabilities Catalog
Aqua Security: Linux Kernel Vulnerability Escaping Containers by Abusing cgroups
Palo Alto Networks Unit 42: New Linux Vulnerability CVE-2022-0492 Affecting cgroups
BleepingComputer: CISA Warns of Active Attacks Exploiting Android, Linux Bugs
