The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel vulnerability — tracked as CVE-2022-0492 — to its Known Exploited Vulnerabilities (KEV) catalog. The agency warns that the flaw is being actively leveraged in real-world attacks, with federal agencies given until June 5, 2026 to apply patches.
What Is CVE-2022-0492?
CVE-2022-0492 is an improper authentication vulnerability rooted in the Linux kernel’s control groups (cgroups) mechanism, specifically the cgroups v1 release_agent feature. The release_agent is designed to execute a script when a cgroup becomes empty. Due to insufficient validation and authentication controls, a local attacker can manipulate this functionality to execute arbitrary commands with elevated privileges — effectively achieving root-level access on the host system.
The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-862 (Missing Authorization), both of which point to a failure to enforce security boundaries. Although the CVE was assigned in 2022, CISA’s addition to the KEV catalog in 2026 confirms credible and active exploitation in the wild.
Why Container Environments Are Especially at Risk
Security researchers emphasize that CVE-2022-0492 poses a heightened danger in containerized and cloud-native deployments. Cgroups are widely used for resource isolation in technologies such as Docker, Kubernetes, and other container runtimes. In environments where containers share the same underlying Linux host, an attacker who achieves initial access to a compromised container may exploit this vulnerability to:
- Break out of the container isolation boundary
- Escalate privileges to root on the underlying host
- Move laterally across cloud infrastructure
- Access sensitive credentials, keys, and environment variables stored on the host
Misconfigured or unpatched systems are particularly vulnerable. The attack pattern aligns with a broader trend of threat actors targeting container escape vulnerabilities to pivot deeper into enterprise and cloud infrastructure.
CISA Directive and Remediation Timeline
CISA’s inclusion of CVE-2022-0492 in the KEV catalog triggers obligations under Binding Operational Directive (BOD) 22-01. Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate KEV-listed vulnerabilities within the specified timeframe. The remediation deadline for this flaw was set at June 5, 2026.
While the mandate applies specifically to federal agencies, CISA strongly encourages all private-sector organizations to treat this with equivalent urgency. Delays in patching on internet-facing or cloud-hosted Linux systems significantly increase the window of exposure to active threat actors.
How to Protect Your Systems
CISA and the broader security community recommend the following mitigation steps:
- Update the Linux kernel to a patched version that resolves the release_agent vulnerability. Distributions including Ubuntu, Red Hat, Debian, and SUSE have all released patches.
- Disable unprivileged user namespaces where operationally feasible, as they provide access to cgroup functionality that can be exploited.
- Restrict cgroup configuration access to privileged users and processes only.
- Audit container configurations to ensure containers do not run with excessive privileges or mount the host cgroup filesystem.
- Monitor for suspicious cgroup activity, particularly unexpected writes to release_agent files, which may signal exploitation attempts.
The Bigger Picture: Foundational Software Under Attack
The active exploitation of CVE-2022-0492 underscores a growing risk category: vulnerabilities in foundational, open-source components that underpin vast swathes of modern infrastructure. The Linux kernel powers everything from enterprise data centers to cloud hypervisors, containerized microservices to national critical infrastructure.
Attackers increasingly target these core components precisely because of their ubiquity. A single unpatched kernel vulnerability can open the door to hundreds or thousands of systems across a large organization’s environment. As cloud adoption accelerates and container orchestration platforms become the backbone of enterprise IT, securing the underlying kernel is not optional — it is essential.
Organizations are urged to audit their Linux fleet, prioritize patching in internet-exposed or container-hosting environments, and integrate kernel vulnerability monitoring into their ongoing threat management programs.
Source: Cyber Security News | CISA KEV Catalog