THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-002
CYBER · cves zero days · 2026-06-03SCOOP 70

CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fresh in-the-wild exploitation

CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8.

·FILED ISSUE 2026-06-03·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CVE-2022-0492 added to CISA KEV June 2, 2026; CVSS 7.8; CWE-287/CWE-862
  • Flaw in cgroup_release_agent_write() in cgroups v1 (kernel/cgroup/cgroup-v1.c); missing capability check in initial user namespace enables container escape to root
  • Affected kernels span roughly 2.6-4.20 and 5.5-5.17; patched lines e.g. 4.9.301+ and 5.17-rc3+
  • Docker, Kubernetes, LXC on cgroups v1 hosts directly exposed
  • Federal remediation deadline June 5, 2026 under BOD 22-01

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fresh in-the-
Image via primary source

CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8. The bug is an improper-authentication/missing-authorization defect (CWE-287, CWE-862) in the cgroup_release_agent_write() function of the cgroups v1 subsystem (kernel/cgroup/cgroup-v1.c). Because of a missing capability check in the initial user namespace, a local attacker can write an arbitrary executable path to the release_agent file, bypass namespace isolation, escalate privileges, and escape a container to gain root on the host.

Affected kernels span roughly 2.6-4.20 and 5.5-5.17; container platforms running Docker, Kubernetes and LXC on cgroups v1 hosts are directly exposed, alongside legacy servers, embedded Linux and IoT devices that deferred kernel updates. CISA set a federal remediation deadline of June 5, 2026 under BOD 22-01. The notable angle is timing: a 2022-vintage CVE entering KEV in mid-2026 signals that attackers are systematically hunting unpatched, long-lived Linux fleets, container hosts and embedded systems where kernel updates are rare.

BleepingComputer's Bill Toulas noted the flaw is not currently tied to ransomware operations, suggesting opportunistic privilege-escalation and container-breakout use, possibly for crypto-mining, lateral movement, or initial-access brokering. Defenders should prioritize cgroups v1 hosts and confirm patched kernel builds (e.g., 4.9.301+ and 5.17-rc3+ lines).

Key facts on file

  • CVE-2022-0492 added to CISA KEV June 2, 2026; CVSS 7.8; CWE-287/CWE-862
  • Flaw in cgroup_release_agent_write() in cgroups v1 (kernel/cgroup/cgroup-v1.c); missing capability check in initial user namespace enables container escape to root
  • Affected kernels span roughly 2.6-4.20 and 5.5-5.17; patched lines e.g. 4.9.301+ and 5.17-rc3+
  • Docker, Kubernetes, LXC on cgroups v1 hosts directly exposed
  • Federal remediation deadline June 5, 2026 under BOD 22-01
  • Not currently tied to ransomware operations per BleepingComputer

OFFICIAL RECORD

BleepingComputer — Bill Toulas (2026-06-03)
· fetched at filing · archived at publication
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-002 · filed 2026-06-03 · https://thedwire.com/wire/cyb-2026-06-002-cisa-adds-2022-linux-cgroups-container-escape-bug-cve-2022.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Microsoft reverses 'never justifiable' zero-day stance, vows not to pu
CYBER · SCOOP 85

Microsoft reverses 'never justifiable' zero-day stance, vows not to pursue researchers as Nightmare-Eclipse feud spreads

Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash. Days earlier (a blog post ~May 28) Microsoft had branded uncoordinated public zero-day disclosures 'never justifiable,' implied legal exposure for those enabling cybercrime, and noted its Digital Crimes Unit would keep bringing cases

exclusivecorrected · see fileSOURCE ↗
READ THE FILE ›
Google patches 124 Android flaws including actively exploited CVE-2025-48595; CI
CYBER · SCOOP 78

Google patches 124 Android flaws including actively exploited CVE-2025-48595; CISA orders federal fix by June 5

Google's June 2026 Android security bulletin patched 124 vulnerabilities, including CVE-2025-48595, an Android Framework integer-overflow bug (CVSS 8.4) that Google says is under 'limited, targeted exploitation' in the wild. The flaw enables code execution and local privilege escalation with no user interaction, the hallmark signature of

✓ verifiedSOURCE ↗
READ THE FILE ›
Trump Signs AI Executive Order Creating Treasury-Run 'AI Cybersecurity Clea
Generated illustration · not a photograph
CYBER · SCOOP 70

Trump Signs AI Executive Order Creating Treasury-Run 'AI Cybersecurity Clearinghouse' and 30-Day Frontier-Model Reviews

On June 2, 2026, President Trump signed an executive order titled 'Promoting Advanced Artificial Intelligence Innovation and Security,' directing national-security and civilian agencies to increase scrutiny of frontier AI models and to bolster federal cyber defenses against AI-enabled threats. A central provision tasks the Treasury Depart

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.