High Known exploited (KEV) CVE-2022-0492

Linux kernel cgroups vulnerability (CVE-2022-0492) — exploitable for privilege escalation and container escape

Linux Kernel ・Added to KEV Jun 2, 2026 ・Federal remediation due 2026-06-05

An improper-authentication vulnerability in the Linux kernel cgroups v1 "release_agent" feature leads to privilege escalation. Depending on configuration it can be abused for container escape. Disclosed in 2022, but CISA listed it as known-exploited (KEV) in 2026 (CVSS 7.8 High).

Key facts

CVE IDCVE-2022-0492
CVSS base score7.8 HIGH
CVSS vectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected (vendor / product)Linux Kernel
CWECWE-287, CWE-862
ExploitationListed in CISA KEV (exploitation confirmed)
Remediation due2026-06-05 (U.S. federal civilian agencies, BOD 22-01)

Key points

Missing privilege check in the cgroups v1 "release_agent" feature (CWE-287 / CWE-862)
Local privilege escalation; with weak configuration, exploitable for container-to-host escape
Disclosed in 2022 but entered KEV in 2026 = an old known vulnerability still being exploited
Response: update to a fixed kernel + least-privilege containers (avoid unneeded CAPs, use seccomp, etc.)
Federal civilian remediation deadline was June 5, 2026

CVE-2022-0492 stems from a missing privilege check (CWE-287: improper authentication / CWE-862: missing authorization) in the "release_agent" feature of cgroups (control groups) v1, the Linux kernel resource-control mechanism. release_agent runs a specified program when a cgroup becomes empty, and the fact that this execution happens with high host-side privileges is what gets abused.

The impact is local privilege escalation, but what matters in practice is the possibility of "container escape." If a container is configured without sufficiently effective capability restrictions or seccomp/AppArmor protections, an attacker inside the container can use this vulnerability to execute arbitrary code at high privilege on the host, breaking container isolation and taking over the host.

Although disclosed in 2022, CISA added it to KEV on June 2, 2026. This shows that "even an old, known vulnerability is still being exploited in unpatched environments," underscoring the danger of neglected old kernels.

Key response: update to a fixed kernel provided by your distribution (most are already fixed). In addition, enforce the principle of least privilege in container runtimes — do not grant unnecessary capabilities (especially CAP_SYS_ADMIN), and enable seccomp/AppArmor/SELinux — to reduce escape risk through defense in depth. The federal civilian remediation deadline was June 5, 2026.

Why it matters

For organizations running containers / Kubernetes, the priorities are diligent kernel updates and revisiting least-privilege container design. An old vulnerability entering KEV is also a wake-up call to inventory legacy environments.

FAQ

What are cgroups?

A Linux mechanism that controls and isolates process resources (CPU, memory, etc.); it is one of the foundations of container technology.

Am I necessarily at risk if I use containers?

Not necessarily. If capability restrictions and seccomp/AppArmor are properly in effect, exploitation is harder. Still, both kernel updates and least-privilege design matter.

What should I do?

Update to a fixed kernel provided by your distribution, and in container runtimes enforce configurations that do not grant unnecessary privileges.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

CISA KEV Catalog (known exploited list)
NVD (CVE details / CVSS)
Vendor / reference advisory
This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).

#Linux#Kernel#Container#Privilege escalation#cgroups

← Back to vulnerability alerts