Linux Kernel Privilege Escalation Flaw CVE-2022-0492 Added to CISA KEV
Key findings • CISA added Linux kernel vulnerability CVE-2022-0492 to its KEV catalog on June 2, 2026. • The flaw resides in the cgroups v1 release_agent helper, allowing container escape and…

Key findings
- CISA added Linux kernel vulnerability CVE-2022-0492 to its KEV catalog on June 2, 2026.
- The flaw resides in the cgroups v1 release_agent helper, allowing container escape and local privilege escalation.
- Exploitation requires specific container configurations, such as running as root or possessing CAP_SYS_ADMIN.
- Defenders should immediately patch Linux kernels or restrict container privileges to mitigate exploitation risks.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-0492 to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2026. This vulnerability affects the Linux kernel's control groups (cgroups) v1 implementation, specifically involving a logical flaw in the handling of the release_agent file. When successfully exploited, it allows local attackers to escape container environments and escalate privileges to root on the host system.
CVE-2022-0492 is particularly dangerous in containerized environments such as Kubernetes or Docker. If a container is run with certain administrative capabilities—such as CAP_SYS_ADMIN—or is configured to run as root, an attacker who has already compromised the container can abuse the release_agent feature to execute arbitrary code on the underlying host. This makes the flaw a prime target for attackers looking to perform lateral movement or escape sandbox restrictions.
Although this vulnerability was originally disclosed and patched in early 2022, its addition to the KEV catalog indicates that threat actors continue to actively target unpatched systems. There is no indication from CISA that this vulnerability is currently associated with ransomware campaigns, but container escape capabilities remain highly valued by both cyber espionage and financially motivated groups.
Organizations running Linux-based infrastructure must ensure their kernels are updated to versions containing the fix. For environments where immediate patching is difficult, defenders can mitigate the risk by disabling unprivileged user namespaces or ensuring containers run without root privileges and without the CAP_SYS_ADMIN capability. Federal agencies must apply the updates in accordance with CISA's mandated remediation deadlines.
The US cybersecurity agency CISA has issued a warning regarding the in-the-wild exploitation of a Linux kernel vulnerability, CVE-2022-0492. This improper authentication flaw, affecting cgroups v1, allows for privilege escalation and container escapes. While technical details emerged three years ago, active exploitation has only recently been reported, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2022-0492, a critical vulnerability in the Linux kernel's cgroups v1 release_agent feature, to its Known Exploited Vulnerabilities (KEV) catalog. This improper authentication flaw allows local attackers to escalate privileges, potentially enabling container escapes or gaining root access on affected systems. CISA has mandated federal agencies to remediate this vulnerability by June 5, 2026, highlighting the ongoing threat and active exploitation in the wild.