CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fresh in-the-wild exploitation
CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8.
At a glance
- CVE-2022-0492 added to CISA KEV June 2, 2026; CVSS 7.8; CWE-287/CWE-862
- Flaw in cgroup_release_agent_write() in cgroups v1 (kernel/cgroup/cgroup-v1.c); missing capability check in initial user namespace enables container escape to root
- Affected kernels span roughly 2.6-4.20 and 5.5-5.17; patched lines e.g. 4.9.301+ and 5.17-rc3+
- Docker, Kubernetes, LXC on cgroups v1 hosts directly exposed
- Federal remediation deadline June 5, 2026 under BOD 22-01
VERDICT — CONFIRMED
CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8. The bug is an improper-authentication/missing-authorization defect (CWE-287, CWE-862) in the cgroup_release_agent_write() function of the cgroups v1 subsystem (kernel/cgroup/cgroup-v1.c). Because of a missing capability check in the initial user namespace, a local attacker can write an arbitrary executable path to the release_agent file, bypass namespace isolation, escalate privileges, and escape a container to gain root on the host.
Affected kernels span roughly 2.6-4.20 and 5.5-5.17; container platforms running Docker, Kubernetes and LXC on cgroups v1 hosts are directly exposed, alongside legacy servers, embedded Linux and IoT devices that deferred kernel updates. CISA set a federal remediation deadline of June 5, 2026 under BOD 22-01. The notable angle is timing: a 2022-vintage CVE entering KEV in mid-2026 signals that attackers are systematically hunting unpatched, long-lived Linux fleets, container hosts and embedded systems where kernel updates are rare.
BleepingComputer's Bill Toulas noted the flaw is not currently tied to ransomware operations, suggesting opportunistic privilege-escalation and container-breakout use, possibly for crypto-mining, lateral movement, or initial-access brokering. Defenders should prioritize cgroups v1 hosts and confirm patched kernel builds (e.g., 4.9.301+ and 5.17-rc3+ lines).
Key facts on file
- CVE-2022-0492 added to CISA KEV June 2, 2026; CVSS 7.8; CWE-287/CWE-862
- Flaw in cgroup_release_agent_write() in cgroups v1 (kernel/cgroup/cgroup-v1.c); missing capability check in initial user namespace enables container escape to root
- Affected kernels span roughly 2.6-4.20 and 5.5-5.17; patched lines e.g. 4.9.301+ and 5.17-rc3+
- Docker, Kubernetes, LXC on cgroups v1 hosts directly exposed
- Federal remediation deadline June 5, 2026 under BOD 22-01
- Not currently tied to ransomware operations per BleepingComputer


