Security Intelligence
Loading table of contents...
At a glance: A 2022 Linux kernel vulnerability allows a local adversary to escape a container and execute code as root on the host system. Following its addition to the KEV catalog on June 2, 2026, organizations are advised to validate that their systems are running vendor-fixed kernels rather than relying on version numbers alone. Because the fix was backported into supported kernels, both older and newer versions can be either patched or exposed, making it critical to confirm patch status and ensure container security controls are enforced to reduce exposure.
Threat summary
On June 2, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added another Linux kernel vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation.
The vulnerability, tracked as CVE-2022-0492, allows privilege escalation with low complexity and no user interaction once an adversary has local access to a system. Initial compromise provides a foothold within a container or limited user context.
The flaw was rated with a Common Vulnerability Scoring System (CVSS) score of 7.8 (High).
CVE-2022-0492 affects Linux systems that use control groups version 1 (cgroups v1), a feature widely used to isolate workloads in container platforms such as Docker and Kubernetes. The issue is due to a missing authorization check in the release\_agent mechanism, which allows a program to be executed when a group of processes completes.
An adversary can point this mechanism to a malicious binary, which the kernel then executes with root privileges on the host. This breaks container isolation and enables movement from a container to the underlying system.
The vulnerability was addressed in 2022, with the fix introduced upstream in Linux kernel version 5.17 release candidate 3 and backported by operating system vendors. Public exploit references and proof-of-concept code have been available since 2023.
Analysis
Organizations are affected when they run Linux systems with cgroups v1 enabled and support workloads from different trust levels. This includes container hosts, shared infrastructure, continuous integration systems, and environments where multiple users or services can execute code.
Default container security controls play a significant role in preventing exploitation. Environments that enforce protections such as Security-Enhanced Linux (SELinux), AppArmor, or Seccomp prevent the container escape path associated with CVE-2022-0492. Environments where these controls are not enabled, are misconfigured, or where containers are deployed with elevated privileges, are at most risk.
For CVE-2022-0492, the fix was introduced upstream in Linux kernel version 5.17, but vendors applied that fix to earlier supported kernels through backporting. This means an older kernel can be fully patched, while a newer version can remain exposed if updates have not been applied.
Vendors such as Red Hat, Ubuntu, and Debian publish security advisories that list the kernel builds containing the fix. These advisories are the authoritative source, as they map CVEs to specific kernel packages. Validation therefore relies on matching the running kernel to a version explicitly marked as fixed by the vendor, rather than relying on version number alone.
To verify exposure, identify the kernel currently in use and compare it to the vendor’s advisory for CVE-2022-0492. A system is not exposed when the running kernel matches a vendor-confirmed fixed version. If that mapping cannot be confirmed, the system remains in scope for remediation.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
