Executive Summary
CISA added CVE-2022-0492 to the Known Exploited Vulnerabilities catalog on 2026-06-02, warning of active exploitation in the wild [cisa.gov opens in a new tab]. The vulnerability affects the Linux kernel's cgroups v1 subsystem (specifically the cgroup_release_agent_write function) and allows a local attacker inside a container to escape namespaces and escalate privileges to root on the host [nvd.nist.gov opens in a new tab] [git.kernel.org opens in a new tab].
The escape is achieved by exploiting the release_agent feature in cgroups v1, which allows the kernel to execute a user-specified command when a cgroup is emptied. If an attacker can write to the release_agent configuration file, they can configure it to execute a payload on the host with root privileges when the cgroup task list is emptied, resulting in a full container escape. Security researchers have published multiple proof-of-concept exploits showing that any container running as root (uid 0) or with CAP_SYS_ADMIN can perform this mount and escape if cgroups v1 is enabled and not restricted [git.kernel.org opens in a new tab] [unit42.paloaltonetworks.com opens in a new tab].
Operators should audit their container environments and Kubernetes nodes to ensure host kernels are updated, restrict container capabilities (disallowing CAP_SYS_ADMIN), and disable unprivileged user namespaces where possible to prevent unprivileged users from mounting cgroups v1 filesystems [nvd.nist.gov opens in a new tab] [unit42.paloaltonetworks.com opens in a new tab].