The U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2022-0492 to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026, confirming active in-the-wild exploitation of a high-severity Linux Kernel improper authentication vulnerability.
Federal agencies under BOD 22-01 compliance were given a hard remediation deadline of June 5, 2026, signaling the urgency behind the disclosure.
CVE-2022-0492 carries a CVSS score of 7.8 (High) and is rooted in a logical bug within the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c.
Classified under CWE-287 (Improper Authentication) and CWE-862 (Missing Authorization), the flaw allows local privilege escalation and full container escape through the cgroups v1 release_agent mechanism.
The release_agent feature is designed to execute a cleanup binary when a control group becomes empty. However, due to a missing capability check in the initial user namespace, an attacker can write an arbitrary malicious executable path to the release_agent.
When the cgroup empties, the kernel executes that binary with root-level privileges on the host, effectively shattering container isolation boundaries and enabling complete host compromise.
Successful exploitation requires a specific converging set of conditions on the target system:
- The container must be running as root or without the
no_new_privsflag - AppArmor, SELinux, and Seccomp must all be disabled
- The host must be running cgroups v1 the predominant configuration on older Linux distributions
- Systems running cgroups v2 are entirely unaffected, as the release_agent feature was removed in v2
Affected Platforms
The vulnerability impacts Linux kernel versions prior to 5.17-rc3 across all LTS branches, including:
- Red Hat Enterprise Linux 8.x and Fedora 35
- Ubuntu 14.04 ESM through 22.04 LTS
- Debian 9.0 through 11.0
Container orchestration environments running Docker, Kubernetes, and LXC on cgroups v1 hosts are directly exposed. Legacy enterprise servers, embedded Linux systems, and IoT devices that have not received recent kernel updates remain at significant risk.
CISA’s KEV addition on June 2, 2026 imposed a three-day remediation window for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 22-01.
Ransomware campaign attribution is officially listed as Unknown, though the compressed timeline and urgency of the KEV mandate strongly suggest credible active exploitation by organized threat actors targeting unpatched Linux infrastructure.
Recommended Mitigations
Organizations should apply the following layered defense strategy immediately:
- Patch the kernel now — Run
apt upgradeordnf update kerneland reboot; use Canonical Livepatch or KernelCare if live patching is required to defer reboots - Migrate to cgroups v2 — Docker 20.10+, containerd 1.4+, and Kubernetes 1.25+ natively support cgroups v2, fully eliminating the attack surface
- Drop dangerous capabilities — Use
--cap-drop=SYS_ADMINin container definitions to block release_agent abuse - Audit cgroup version — Inspect
/sys/fs/cgroup/; the presence of multiple named subdirectories indicates cgroups v1 exposure requiring immediate attention
Given that the vulnerability has been present since 2022 and is only now receiving a KEV mandate, unpatched systems across cloud-native and legacy Linux environments should be treated as actively targeted until fully remediated.
No Comment! Be the first one.