Cyber Resilience

CVE-2022-0492

HighCISA KEVActive ExploitationPublic PoCUpdated

Published: 03 March 2022

Published
03 March 2022
Modified
03 June 2026
KEV Added
02 June 2026
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2722 96.5th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0492 is a high-severity Improper Authentication (CWE-287) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability exists in the Linux kernel's handling of the cgroups v1 release_agent feature, specifically in the cgroup_release_agent_write function within kernel/cgroup/cgroup-v1.c. Under certain conditions, this flaw permits an attacker to misuse the release_agent mechanism to perform privilege escalation and break out of namespace isolation boundaries.

The issue is exploitable by a local attacker with limited privileges, such as a process running inside a container or other restricted environment. Successful exploitation grants the ability to execute arbitrary code with elevated privileges on the host, achieving full control over confidentiality, integrity, and availability of the system.

Kernel developers addressed the flaw through commits that restrict release_agent writes, and distributions have issued updates along with live kernel patches. References also document public container-escape techniques leveraging the same vector. The associated EPSS score rose from lower values to a peak of 0.3372, indicating growing exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

CWE(s)
KEV Date Added
02 June 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netapp
h300s firmware
all versions
netapp
h410c firmware
all versions
netapp
h410s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
bootstrap os
all versions
linux
linux kernel
5.17 · 2.6.24 — 4.9.301 · 4.10 — 4.14.266 · 4.15 — 4.19.229
debian
debian linux
10.0, 11.0, 9.0
redhat
codeready linux builder
8.0, 8.2
redhat
codeready linux builder for power little endian
8.0, 8.2
+17 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on the cgroup release_agent file to block unauthorized writes that enable the privilege escalation.

prevent

Limits privileges so a container process cannot abuse the release_agent mechanism to obtain host root.

prevent

Enforces process and namespace isolation boundaries that the CVE is explicitly designed to bypass.

References