← All articles

CISA adds 4-year-old Linux kernel cgroups container-escape CVE-2022-0492 to KEV after active exploitation evidence

CISA has added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The four-year-old Linux kernel flaw is an improper-authentication issue in the cgroups v1 release_agent feature that can be abused for container escape and privilege escalation to root on the host. It is well known among container-security researchers as a path to breaking out of misconfigured containers lacking AppArmor/SELinux or seccomp restrictions. Its appearance on KEV signals active in-the-wild abuse, likely in cloud and container environments. FCEB agencies must remediate by the BOD 22-01 deadline; all organizations running container workloads on older kernels should patch and verify hardening immediately.

Check
Inventory container hosts running kernels unpatched against CVE-2022-0492. Check for containers running without AppArmor/SELinux or seccomp confinement, which makes the release_agent escape exploitable.
Affected
Linux hosts on older kernels with the cgroups v1 release_agent flaw, especially containers lacking AppArmor/SELinux or seccomp restrictions. Active exploitation now confirmed via CISA KEV listing.
Fix
Patch host kernels. Enforce seccomp and AppArmor/SELinux on all containers. Drop CAP_SYS_ADMIN where unneeded. FCEB agencies must remediate by the CISA KEV deadline.