A flaw in the Linux kernel's cgroups v1 release_agent feature allows local users to escalate privileges and bypass namespace isolation, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-02.
What Is It
CVE-2022-0492 is an improper authentication vulnerability (CWE-287, with a secondary mapping to CWE-862 missing authorization) in the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c. Under certain circumstances, the flaw permits abuse of the cgroups v1 release_agent feature to escalate privileges and unexpectedly bypass namespace isolation. NVD rates it CVSS 3.1 base score 7.8 (HIGH), vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, local attack vector, low complexity, low privileges required, no user interaction, with high impact to confidentiality, integrity, and availability.
Why It Matters
Because the vulnerability sits in a core kernel namespace-isolation primitive, it is directly relevant to container security: bypassing namespace isolation undermines the boundary that many container runtimes rely on. CISA added CVE-2022-0492 to the KEV catalog on 2026-06-02 with a required-action due date of 2026-06-05, indicating it is being treated as actively exploited or otherwise high-risk. Known ransomware campaign use is listed as "Unknown." Reference material in the NVD record includes a public write-up titled "Docker cgroups Container Escape," underscoring the container-escape exposure.
What's Vulnerable
The flaw affects the upstream Linux kernel across a wide range of versions starting from 2.6.24, with fixes landing across multiple stable branches (e.g., before 4.9.301, 4.14.266, 4.19.229, and later series per the NVD configuration data). NVD also lists NetApp firmware products as affected, including H300S, H410C, H410S, H500S, H700S, and HCI Compute Node firmware. CISA notes the issue affects a common open-source component used across many products and advises checking with specific vendors for patch status.
Patch Status
The upstream fix is committed to the Linux kernel tree (commit 24f6008564183aa120d07c03d9289519c2fe02af). Distribution updates are available from Debian (DSA-5095, DSA-5096; debian-lts announcements) and Ubuntu (Kernel Live Patch notices LSN-0085-1 and LSN-0086-1). NetApp published advisory NTAP-20220419-0002 for affected appliances. CISA's required action: apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable; due 2026-06-05.
Sources
- CISA KEV Catalog entry; CVE-2022-0492
- NVD, https://nvd.nist.gov/vuln/detail/CVE-2022-0492
- Linux kernel fix commit; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af
- Red Hat Bugzilla 2051505; https://bugzilla.redhat.com/show_bug.cgi?id=2051505
- Debian DSA-5095; https://www.debian.org/security/2022/dsa-5095
- Debian DSA-5096; https://www.debian.org/security/2022/dsa-5096
- Debian LTS announcements; https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html ; https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
- NetApp advisory NTAP-20220419-0002; https://security.netapp.com/advisory/ntap-20220419-0002/
- Ubuntu Kernel Live Patch LSN-0085-1; http://packetstormsecurity.com/files/166444/Kernel-Live-Patch-Security-Notice-LSN-0085-1.html
- Ubuntu Kernel Live Patch LSN-0086-1; http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html
- Docker cgroups Container Escape write-up; http://packetstormsecurity.com/files/176099/Docker-cgroups-Container-Escape.html
- kernel.org; https://www.kernel.org/