VYPR
Vypr IntelligenceAI-generatedJun 2, 2026· 1 CVE

Linux Kernel Privilege Escalation Flaw CVE-2022-0492 Added to CISA KEV

The Cybersecurity and Infrastructure Security Agency has added a Linux kernel vulnerability, CVE-2022-0492, to its Known Exploited Vulnerabilities catalog following evidence of active exploitation in the wild.

Key findings

  • CISA added Linux kernel vulnerability CVE-2022-0492 to its KEV catalog on June 2, 2026.
  • The flaw resides in the cgroups v1 release_agent helper, allowing container escape and local privilege escalation.
  • Exploitation requires specific container configurations, such as running as root or possessing CAP_SYS_ADMIN.
  • Defenders should immediately patch Linux kernels or restrict container privileges to mitigate exploitation risks.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-0492 to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026. This vulnerability affects the Linux kernel's control groups (cgroups) v1 implementation, specifically involving a logical flaw in the handling of the release_agent file. When successfully exploited, it allows local attackers to escape container environments and escalate privileges to root on the host system.

CVE-2022-0492 is particularly dangerous in containerized environments such as Kubernetes or Docker. If a container is run with certain administrative capabilities—such as CAP_SYS_ADMIN—or is configured to run as root, an attacker who has already compromised the container can abuse the release_agent feature to execute arbitrary code on the underlying host. This makes the flaw a prime target for attackers looking to perform lateral movement or escape sandbox restrictions.

Although this vulnerability was originally disclosed and patched in early 2022, its addition to the KEV catalog indicates that threat actors continue to actively target unpatched systems. There is no indication from CISA that this vulnerability is currently associated with ransomware campaigns, but container escape capabilities remain highly valued by both cyber espionage and financially motivated groups.

Organizations running Linux-based infrastructure must ensure their kernels are updated to versions containing the fix. For environments where immediate patching is difficult, defenders can mitigate the risk by disabling unprivileged user namespaces or ensuring containers run without root privileges and without the CAP_SYS_ADMIN capability. Federal agencies must apply the updates in accordance with CISA's mandated remediation deadlines.

AI-written article. Grounded in 1 CVE record listed below.