ctipilot.ch

Linux kernel cgroup v1 release_agent container escape (missing CAP_SYS_ADMIN check); CISA KEV 2026-06-02

cve · CVE-2022-0492

Coverage timeline
1
first 2026-06-03 → last 2026-06-03
Peak priority
high
1 high
Sources cited
4
4 hosts
Sections touched
1
deep-dive
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · ATT&CK page ↗

Execution TA0002

T1610Deploy Container×1

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node.

Evidence: 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · ATT&CK page ↗

Privilege Escalation TA0004

T1611Escape to Host×1

Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.

Evidence: 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · ATT&CK page ↗

Discovery TA0007

T1082System Information Discovery×1

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

Evidence: 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · ATT&CK page ↗

Story timeline

  1. 2026-06-03Linux cgroups v1 release_agent container escape (CVE-2022-0492) re-enters active exploitation
    deep-dive

Where this entity is cited

  • deep-dive1

Source distribution

  • access.redhat.com1 (25%)
  • attack.mitre.org1 (25%)
  • cisa.gov1 (25%)
  • unit42.paloaltonetworks.com1 (25%)

explore in graph

Entries about Linux kernel cgroup v1 release_agent container escape (missing CAP_SYS_ADMIN check); CISA KEV 2026-06-02 (1)

2026-06-03 · view entry permalink →

HIGHCVE-2022-0492exploited

Linux cgroups v1 release_agent container escape (CVE-2022-0492) re-enters active exploitation

Background. CVE-2022-0492 was disclosed and patched in early 2022; Palo Alto Unit 42 published the canonical technical analysis in March 2022, walking through how the cgroup-v1 release_agent mechanism becomes a container-escape primitive and how earlier mainline kernels shipped without the missing capability check (Unit 42, 2022-03-07). It has sat quietly for four years. CISA's addition of the CVE to the Known Exploited Vulnerabilities catalog on 2026-06-02 (CISA, 2026-06-02) signals fresh in-the-wild exploitation — consistent with attackers harvesting the large tail of unpatched legacy kernels still running container-dense workloads.

The bug. The kernel's cgroup_release_agent_write() handler in kernel/cgroup/cgroup-v1.c failed to verify that a process writing the cgroup-v1 release_agent file holds CAP_SYS_ADMIN in the initial user namespace — CWE-862 Missing Authorization, CVSS 7.0 (Red Hat, CVE-2022-0492). The release_agent is a host path the kernel executes as root on the host whenever the last task leaves a cgroup that has notify_on_release set. Because the write was under-authorised, a process that can mount or reach a writable cgroup-v1 hierarchy can point release_agent at an attacker-controlled script and then empty a cgroup to trigger it — code execution crosses the container boundary into the host root context. This is the textbook T1611 Escape to Host (MITRE ATT&CK T1611).

Exploitation prerequisites — where it actually bites. The attacker needs prior code execution inside a container (initial access via some other vector — an exposed app, a malicious image, a prior § 1-class foothold). The escape requires the ability to mount a cgroup-v1 hierarchy and write release_agent, which in turn requires CAP_SYS_ADMIN in the user namespace that owns that hierarchy. Unit 42 details the dangerous unprivileged path: a process creates a new user namespace (unshare) to obtain CAP_SYS_ADMIN within that namespace and mount a cgroup-v1 hierarchy — viable when the container runtime has not confined the workload with a seccomp profile blocking the mount/unshare calls or an AppArmor/SELinux policy (Unit 42's final write-up scopes the technique to this unprivileged path). A workload directly granted CAP_SYS_ADMIN reaches the same mount/release_agent primitive trivially, which is why over-broad capability grants are dangerous in their own right. The common denominator is a permissively-profiled container: no seccomp, no mandatory-access-control LSM. Self-hosted Kubernetes clusters and bespoke runtimes that strip the default Docker seccomp profile are the typical exposed surface; managed clusters with hardened pod-security defaults and cgroup-v2-only hosts are largely out of scope.

Kill chain. Initial access into the container (T1190/T1610-class) → discovery of cgroup-v1 writability and capability set (T1082) → T1611 Escape to Host: mount a cgroup-v1 controller, set notify_on_release=1, write a host-path payload into release_agent, then spawn-and-exit a process inside a child cgroup so the kernel executes the payload as host root → host-level execution, after which the operator has the usual post-escape options (credential theft from the host, lateral movement to the orchestrator control plane, T1610 deploying further containers).

Hunt and detection concepts (no rule code): the highest-signal artefact is a write to a release_agent file anywhere under /sys/fs/cgroup/** by a non-root or containerised process — Falco/sysdig ship a community rule for exactly this, and auditd can watch the path. Pair it with auditing of in-container mount() of cgroup filesystems and unshare/clone calls that create new user namespaces (auditd syscall rules), and with Linux Sysmon (EID 1) on processes whose executable path was just written via a cgroup release_agent. On the host, a root-context process spawned with no normal parent lineage (kernel-invoked) executing a script from a container-writable path is the escape firing.

Hardening / mitigation. Patch the kernel to 5.17+ or apply the distro backport (every maintained enterprise distro shipped one in 2022) — this restores the CAP_SYS_ADMIN check and closes the class. Independently of patching, the misconfiguration controls neutralise the path: enforce a seccomp profile (the Docker/containerd defaults already block the required mount), apply AppArmor or SELinux confinement to every workload, never grant CAP_SYS_ADMIN to application containers, and move hosts to cgroup v2 exclusively (systemd.unified_cgroup_hierarchy=1), which does not expose the release_agent escape primitive at all. Mounting /sys/fs/cgroup read-only inside containers removes the write target. For Swiss/EU public-sector teams running self-managed Kubernetes or container hosts on long-lived LTS kernels, this KEV addition is the prompt to verify both the kernel patch level and the pod-security/seccomp baseline, since either control alone defeats the escape.

Background.

ctipilot v2 brief (migrated)
vulnerability03 Jun 05:00Zmulti-sourceOpen finding ↗