{"uuid": "677464bb-d06d-4202-942e-32e7344fdb00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-0492", "type": "seen", "source": "https://gist.github.com/alon710/da88e5f259853991dd91ab7ce50bbe6d", "content": "# CVE-2022-0492: CVE-2022-0492: Privilege Escalation and Container Escape via cgroups v1 release_agent\n\n> **CVSS Score:** 7.8\n> **Published:** 2022-03-03\n> **Full Report:** https://cvereports.com/reports/CVE-2022-0492\n\n## Summary\nCVE-2022-0492 is a high-severity missing authorization vulnerability in the Linux kernel's Control Groups (cgroups) v1 implementation. The flaw resides within the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c, where the kernel fails to validate if the process writing to the release_agent file possesses administrative capabilities in the initial user namespace. This allows a local attacker inside a container with root privileges (UID 0) to abuse user namespaces, mount a cgroups v1 directory, modify the release_agent parameter, and execute arbitrary commands on the host system as host root, effectively achieving a complete container escape.\n\n## TL;DR\nA privilege validation omission in the Linux kernel's cgroups v1 release_agent allows containerized processes with root access to bypass namespace isolation and execute arbitrary commands on the host as host root using user namespaces.\n\n## Exploit Status: ACTIVE\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Local\n- **CVSS v3.1 Score**: 7.8\n- **EPSS Score**: 0.28124 (Percentile: 96.58%)\n- **Exploit Status**: Active / Weaponized\n- **CISA KEV Status**: Listed (Added 2026-06-02)\n\n## Affected Systems\n\n- Linux Kernel\n- Kubernetes Clusters\n- Docker Runtimes\n- Debian GNU/Linux\n- Red Hat Enterprise Linux\n- Ubuntu Linux\n- Fedora Linux\n- NetApp Storage Solutions\n- **Linux Kernel**: >= 2.6.24, < 5.17 (Fixed in: `5.17-rc3 / 24f6008564183aa120d07c03d9289519c2fe02af`)\n\n## Mitigation\n\n- Upgrade the Linux kernel to version 5.17, or apply backported patches for LTS kernels.\n- Enable and enforce default Seccomp profiles to block the unshare system call.\n- Configure AppArmor or SELinux policies to restrict mounting operations inside containers.\n- Disable unprivileged user namespace creation using sysctl configuration parameters.\n\n**Remediation Steps:**\n1. Verify the current kernel version using: uname -r\n2. Update host operating system packages using the distribution's package manager (e.g., yum update kernel or apt-get install --only-upgrade linux-image-generic).\n3. To mitigate immediately without a reboot, disable unprivileged user namespaces: sysctl -w kernel.unprivileged_userns_clone=0\n4. For Kubernetes clusters, enforce Pod Security Standards to ensure pods run with restricted security profiles and do not run as root.\n\n## References\n\n- [NVD - CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2022-0492)\n- [Red Hat Bug Tracker](https://bugzilla.redhat.com/show_bug.cgi?id=2051505)\n- [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220419-0002/)\n- [Debian Security Advisory](https://www.debian.org/security/2022/dsa-5095)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2022-0492) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-08T05:51:16.000000Z"}