CISA Warns Linux Kernel CVE-2022-0492 Is Being Exploited in Attacks
6 min. read 
Published on
CISA has warned that attackers are exploiting an older Linux kernel vulnerability tracked as CVE-2022-0492, bringing renewed attention to a privilege escalation flaw that can affect containerized environments.
The agency added the bug to its Known Exploited Vulnerabilities catalog on June 2, 2026. Federal civilian agencies had until June 5, 2026 to apply vendor fixes, mitigations, or stop using affected products where no mitigation exists.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
CVE-2022-0492 is not a new vulnerability. It was disclosed and patched in 2022, but CISA’s latest action means the flaw now has confirmed evidence of exploitation in the wild.
What CVE-2022-0492 does
The NVD entry describes CVE-2022-0492 as a Linux kernel flaw in the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c. Under certain conditions, attackers can abuse the cgroups v1 release_agent feature to escalate privileges and bypass namespace isolation.
That makes the bug especially important for Linux servers, container hosts, and cloud-native systems that still expose vulnerable cgroups v1 behavior. An attacker who already has local access, including access inside a weakly configured container, may be able to break isolation and gain higher privileges on the host.
Red Hat’s original Bugzilla tracking page says the flaw may allow privilege escalation through the cgroups v1 release_agent feature. Red Hat marked the issue as high severity and noted that it was fixed upstream in Linux kernel 5.17 rc3.
| Detail | Information |
|---|---|
| CVE ID | CVE-2022-0492 |
| Affected component | Linux kernel cgroups v1 release_agent feature |
| Impact | Privilege escalation and namespace isolation bypass |
| NVD severity | High, CVSS 7.8 |
| CISA KEV date added | June 2, 2026 |
| CISA remediation deadline | June 5, 2026 |
Why the Linux kernel flaw matters for containers
The risk comes from the way cgroups help Linux manage and isolate resources. In container environments, cgroups play a central role in separating workloads from the host system.
A Sysdig analysis from 2022 explained that the vulnerable release_agent feature can allow a container escape when several unsafe conditions exist. These include containers running as root, disabled security controls, and cgroups v1 exposure.
In well-hardened environments, common Linux security controls can reduce the risk. Sysdig noted that environments using protections such as SELinux, AppArmor, or Seccomp can block many practical exploitation paths tied to this flaw.
- The flaw requires local access or access inside a vulnerable container environment.
- Systems using weak container isolation face higher risk.
- Unpatched kernels remain dangerous even years after the original fix.
- CISA’s KEV listing means defenders should treat the bug as an active threat, not only a historical CVE.
Linux distributions patched the issue years ago
Ubuntu’s CVE-2022-0492 security page lists the issue as High priority and shows fixes for several supported Ubuntu kernel packages. The page also notes that the vulnerability was first published on February 8, 2022 and last updated on June 3, 2026.
Debian also addressed the vulnerability in 2022. Its DSA-5095 Linux security advisory said the cgroup-v1 subsystem did not properly restrict access to the release-agent feature, allowing a local user to escalate privileges and bypass namespace isolation.
The age of the patch is part of the concern. Attackers often target older bugs because many organizations keep legacy kernels, outdated appliances, or neglected container hosts in production long after fixes become available.
What CISA is requiring agencies to do
CISA’s KEV entry for CVE-2022-0492 instructs agencies to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the affected product if mitigations are not available.
Although the KEV deadline applies directly to U.S. federal civilian agencies, private companies should also treat the alert as a patching priority. CISA adds vulnerabilities to the catalog only when it has reliable evidence that attackers are exploiting them.
The NVD vulnerability record lists the issue with a CVSS 3.1 score of 7.8 and maps it to CWE-862, Missing Authorization, and CWE-287, Improper Authentication. This reflects the core security problem: the kernel did not enforce the expected boundary around the release_agent feature.
| Priority action | Reason |
|---|---|
| Update affected Linux kernels | Vendor patches address the underlying cgroups v1 flaw |
| Audit container hosts | Misconfigured containers can raise the risk of host compromise |
| Review use of cgroups v1 | The vulnerable behavior is tied to the cgroups v1 release_agent feature |
| Enforce SELinux, AppArmor, and Seccomp where possible | These controls can reduce container escape risk |
| Monitor for suspicious cgroup activity | Attempts to manipulate release_agent behavior may indicate exploitation |
How organizations should reduce exposure
Security teams should start by confirming whether any Linux systems still run kernel versions affected by CVE-2022-0492. That review should include bare-metal servers, virtual machines, container hosts, Kubernetes nodes, and older cloud images.
Ubuntu admins should compare installed kernel packages against Ubuntu’s CVE tracker. Debian admins should review Debian’s Linux update and confirm that the fixed packages were applied across all maintained systems.
Organizations should also review container runtime policies. Running containers as root, disabling AppArmor or Seccomp, and allowing unnecessary namespace or mount behavior can make privilege escalation bugs more damaging.
Why an old 2022 bug still matters in 2026
CISA’s warning shows that old Linux kernel vulnerabilities can remain useful to attackers when organizations miss kernel updates or run insecure container configurations.
Red Hat’s CVE-2022-0492 tracking record shows how broadly Linux vendors had to respond when the flaw was first disclosed. Multiple enterprise Linux releases received fixes in 2022, but CISA’s 2026 KEV action confirms that some exposed systems still remain attractive targets.
Sysdig’s mitigation guidance remains useful because it focuses on layered defense, not only patching. Patching the kernel closes the flaw, while strong container isolation reduces the impact of future local privilege escalation bugs.
For defenders, the practical message is simple: patch affected Linux kernels, harden container workloads, and investigate any suspicious cgroup manipulation. CVE-2022-0492 may be old, but CISA’s KEV update makes it a current operational risk.
FAQ
CVE-2022-0492 is a Linux kernel vulnerability in the cgroups v1 release_agent feature. Under certain conditions, it can allow local privilege escalation and namespace isolation bypass, which makes it especially relevant for containerized environments.
CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026. The remediation deadline for federal civilian agencies was June 5, 2026.
NVD rates CVE-2022-0492 as High severity with a CVSS 3.1 score of 7.8. Some reports may describe the risk as serious because it can enable privilege escalation or container escape in poorly configured environments.
Organizations should update affected Linux kernels, review container host configurations, enforce controls such as SELinux, AppArmor, and Seccomp where possible, and monitor for suspicious cgroup or release_agent activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages