Linux Kernel CVE-2022-0492 cgroup release_agent exploitation

Summary

CISA added CVE-2022-0492 to the Known Exploited Vulnerabilities catalog on June 2, 2026. The flaw is an older Linux kernel cgroups v1 release_agent privilege-escalation / namespace-isolation bypass that remains operationally important for container and shared Linux environments when vulnerable kernels or permissive cgroup configurations are present.

Tags

• ops
• operations
• vulnerability
• exploitation
• Linux
• container
• privilege escalation
• CISA KEV
• CVE-2022-0492

Why this matters

• CISA’s KEV entry validates exploitation in the wild, even though the vulnerability was originally disclosed in 2022.
• The vulnerable primitive is especially relevant to containerized environments because cgroup_release_agent_write / cgroups v1 release_agent abuse can turn namespace-isolation weaknesses into host-level privilege escalation under the wrong conditions.
• CISA flags the issue as affecting a common open-source component / third-party library / protocol used by multiple products, so patch status depends on the specific Linux distribution, appliance, container host, or embedded product.

Public reporting

• NVD describes CVE-2022-0492 as a Linux kernel cgroup_release_agent_write flaw in kernel/cgroup/cgroup-v1.c that, under certain circumstances, allows use of cgroups v1 release_agent to escalate privileges and unexpectedly bypass namespace isolation.
• CISA describes the flaw as an improper-authentication vulnerability that could allow privilege escalation through the cgroups v1 release_agent feature; ransomware use is marked unknown.
• The upstream Linux kernel fix is commit 24f6008564183aa120d07c03d9289519c2fe02af.

Defender notes

• Prioritize patch verification on container hosts, Kubernetes worker nodes, CI runners, appliance-like Linux systems, and multi-tenant Linux servers.
• Inventory whether cgroups v1 remains enabled or exposed where untrusted workloads run; do not assume cgroups v2 adoption across every host or product.
• Hunt for suspicious writes or attempts involving cgroup release_agent, unexpected cgroup mounts from containers, and post-exploitation actions from container workloads.
• Treat KEV inclusion as active-exploitation signal, but avoid overclaiming actor or campaign attribution until public incident reporting provides that linkage.

Sources

• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• NVD CVE-2022-0492: https://nvd.nist.gov/vuln/detail/CVE-2022-0492
• Linux kernel fix commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af
• Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2051505