Linux Kernel cgroups Privilege Escalation (CVE-2022-0492): Container Escape Risk, Added to CISA KEV

nick

Linux Kernel cgroups Privilege Escalation (CVE-2022-0492): Container Escape Risk, Added to CISA KEV

by

A privilege escalation vulnerability in the Linux kernel’s cgroups v1 subsystem, tracked as CVE-2022-0492, allows local attackers to break out of namespace isolation and escalate privileges on affected systems. Originally patched in 2022, the vulnerability has now been added to the CISA Known Exploited Vulnerabilities catalog on June 2, 2026 — four years after the fix — with a federal agency remediation deadline of June 5, 2026. The KEV addition signals that unpatched Linux systems — particularly container hosts and legacy deployments — are being actively targeted.

What Is the Vulnerability?

CVE-2022-0492 is an improper authentication vulnerability in the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c. The cgroups (control groups) v1 subsystem includes a feature called release_agent that specifies a program to be executed when a cgroup becomes empty. Under certain circumstances, this feature can be exploited to bypass namespace isolation — the Linux kernel mechanism that separates container processes from the host system.

An attacker with access to cgroup filesystem operations from within a container or a restricted process can manipulate the release_agent configuration to execute arbitrary commands on the host system with elevated privileges. The practical impact is that a compromised or malicious container — or an unprivileged user on a shared system — can escape the container or namespace boundary and gain root-level access to the host. In containerised environments (Docker, Kubernetes, LXC), this means an attacker who compromises a single container can potentially compromise the entire host and all other containers running on it.

The vulnerability is classified as an improper authentication / privilege escalation issue:

  • CVSS v3.1 Score: 7.8 (High)
  • Attack Vector: Local (AV:L)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low (PR:L)
  • User Interaction: None (UI:N)
  • CISA KEV: Added June 2, 2026 — federal agency deadline June 5, 2026

Which Versions Are Affected?

All Linux kernel versions with cgroups v1 release_agent functionality enabled are potentially affected. The vulnerability was introduced with the cgroups v1 implementation and was patched in 2022. Affected systems include:

  • Linux kernel versions prior to the 2022 patch — typically kernels before 5.10.x LTS patch series, 5.15.x LTS patch series, and corresponding versions in other LTS branches
  • Systems still using cgroups v1 (cgroups v2 does not have the release_agent feature and is not affected)
  • Container hosts running Docker, Kubernetes, LXC, or other container runtimes with cgroups v1
  • Legacy Linux servers, embedded Linux devices, and IoT systems that have not received kernel updates

Most current Linux distributions (Ubuntu 20.04+, RHEL 8+, Debian 11+, etc.) ship with patched kernels. The systems at risk are primarily legacy deployments, air-gapped systems, embedded devices with vendor-locked kernels, and container hosts where the host kernel has been neglected in favour of patching containers.

Is It Being Exploited in the Wild?

Yes — CISA KEV addition confirms active exploitation. The addition of a 2022-vintage CVE to the KEV catalog in 2026 is a strong signal that attackers are actively finding and exploiting unpatched systems. The four-year gap between patch availability and KEV addition follows a well-established pattern: (1) a vulnerability is patched, (2) most current systems are updated, (3) attackers discover that a significant population of legacy, embedded, or neglected systems remain unpatched, (4) exploitation tools are developed and deployed. The container-escape potential of this vulnerability makes it particularly valuable for attackers targeting cloud and containerised environments. An attacker who gains access to a single container in a Kubernetes cluster and exploits this vulnerability on a cgroups v1 host can escape to the underlying node — potentially compromising all pods on that node and pivoting to other nodes in the cluster.

What Is the Fix?

The kernel fix has been available since 2022. For most current Linux distributions, the fix is included in standard kernel packages. To remediate:

  • Update the host kernel: Apply the latest kernel update from your Linux distribution. Use apt update && apt upgrade (Debian/Ubuntu), dnf update kernel (RHEL/Fedora), or your distribution’s equivalent.
  • Verify the kernel version: Check that you are running a patched kernel with uname -r. Consult your distribution’s security advisory for the specific fixed kernel version.
  • Migrate to cgroups v2: If your environment supports it, migrating from cgroups v1 to cgroups v2 eliminates the release_agent attack surface entirely. Most modern container runtimes (Docker 20.10+, containerd 1.4+, Kubernetes 1.25+) support cgroups v2.
  • Reboot after kernel update: Kernel updates require a reboot to take effect. Use live-patching services (Canonical Livepatch, KernelCare, etc.) if reboots must be deferred, but schedule a reboot at the earliest opportunity.

Recommendations

Audit Linux systems — especially container hosts — for unpatched kernels today. The CISA KEV deadline of June 5 gives you two days. Prioritise systems that: (1) run container workloads with cgroups v1, (2) are multi-tenant or shared environments where unprivileged users have shell access, (3) are legacy servers that have deferred kernel updates, and (4) are embedded or IoT devices with vendor-locked kernels.

Verify your cgroups version on container hosts. Check whether your container hosts are using cgroups v1 or v2. On the host, check /sys/fs/cgroup/ — if you see multiple directories (cpu, memory, devices, etc.), you are on cgroups v1. If you see a unified hierarchy, you are on cgroups v2 (not affected). In Kubernetes, check the node’s cgroup driver setting in the kubelet configuration.

Prioritise container hosts. The container-escape potential makes this vulnerability especially dangerous in containerised environments. An attacker who compromises a single container and exploits this vulnerability on a cgroups v1 host escapes to the node and potentially gains access to all pods scheduled on that node. In Kubernetes clusters without adequate pod security policies, this can cascade to cluster-wide compromise.

Plan your migration to cgroups v2. Even after patching the kernel, cgroups v1 carries a larger attack surface than cgroups v2 due to the release_agent and other legacy features. If your environment still relies on cgroups v1, use this KEV addition as an opportunity to plan and execute a migration to cgroups v2. The security benefits extend beyond this single CVE.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!