Four years after a fix was released for a Linux kernel privilege escalation flaw, attackers are now actively exploiting it — prompting CISA to add CVE-2022-0492 to the Known Exploited Vulnerabilities catalog with a three-day remediation window for federal agencies.
CVE-2022-0492 and the cgroups v1 Container Escape Mechanism
The vulnerability resides in the cgroup_release_agent_write() function within the Linux kernel’s control groups version 1 (cgroups v1) subsystem. Insufficient authentication checks in this function allow an attacker who has already obtained a foothold inside a containerized workload to bypass namespace isolation — escaping the container entirely and obtaining root-level privileges on the underlying host server.
How cgroup_release_agent_write() Lets Attackers Cross Namespace Boundaries
Namespace isolation is the security boundary that prevents containerized processes from accessing resources on the host or in adjacent containers. The cgroup_release_agent_write() function can be triggered from within a container in a way that crosses that boundary when authentication checks fail to enforce proper restrictions. An attacker with any access inside a container can execute code as root on the host, converting a limited container compromise into a full server takeover.
The risk compounds in cloud-native environments. Kubernetes clusters and container-hosting platforms typically run multiple workloads on shared hardware. A container escape on any single workload exposes every other container on the same host, along with the credentials, secrets, configuration data, and sensitive applications they hold. Organizations running multi-tenant or microservice deployments face the broadest exposure.
Affected Linux Kernel Versions from 2.6 Through 5.17 and the Long Patching Tail
CVE-2022-0492 affects Linux kernel versions 2.6 through 4.20 and 5.5 through 5.17 — a wide range spanning embedded devices, legacy server deployments, and container hosts running outdated kernels. Patched releases include versions 4.9.301 and later, 4.14.266 and later, 4.19.229 and later, 5.4.177 and later, 5.10.97 and later, 5.15.20 and later, and 5.16.6 and later.
The vulnerability carries a CVSS score of 7.8. The breadth of the affected range reflects how production environments often carry kernel versions years behind current releases. Embedded systems and long-running server deployments are particularly susceptible, as are Kubernetes node images that ship with older kernels. Many organizations that patched application-layer vulnerabilities in 2022 have not applied the underlying kernel update that removes this flaw from the stack.
CISA’s Three-Day Federal Deadline and What It Signals
CISA added CVE-2022-0492 to the Known Exploited Vulnerabilities catalog on June 2, 2026, following confirmed in-the-wild exploitation — one day after CISA added Oracle WebLogic CVE-2024-21182, another older patch now being actively weaponized. Federal Civilian Executive Branch agencies are required to remediate CVE-2022-0492 by June 5, 2026, under Binding Operational Directive 22-01.
The KEV addition does not flag ransomware exploitation; the targeting profile is consistent with espionage and targeted intrusion campaigns. The short June 5 deadline, however, signals that CISA considers the threat to be current and accelerating. Once a vulnerability appears on the KEV catalog with a three-day window, the implication is clear: attackers are not waiting for patch cycles to close.
The four-year gap between the original fix and active exploitation is a documented pattern in CISA’s KEV additions, reflecting systematic attacker campaigns against organizations that defer kernel and middleware updates. Production stability requirements, change-freeze policies, and the difficulty of rolling kernel updates on live container infrastructure all contribute to the delay — and attackers are aware of these constraints.
Organizations running Linux kernel versions within the affected ranges — particularly those with Kubernetes deployments, container-hosting infrastructure, or legacy server fleets — should treat this as a critical patching priority and verify whether their node and server images fall within the vulnerable version window.
