Linux kernel local privilege escalation (CVE-2022-0492) [PoC]

Actively exploited in the wild - CVE-2022-0492 is a high-severity privilege escalation in the Linux kernel that lets a local attacker gain root access by abusing the cgroups v1 release_agent feature, bypassing namespace isolation.

Overview

CVE-2022-0492 is a vulnerability in the Linux kernel’s cgroup_release_agent_write function within kernel/cgroup/cgroup-v1.c. Under specific conditions, an attacker with low privileges can manipulate the cgroups v1 release_agent mechanism to execute arbitrary code as root. This effectively breaks the security boundaries provided by namespace isolation, a core Linux security feature.

The root cause is that the kernel does not properly validate whether a process has the necessary capabilities to set the release_agent path, allowing an unprivileged user to trigger code execution in the root namespace.

Impact

Successful exploitation of CVE-2022-0492 results in local privilege escalation (LPE) to root. An attacker who already has a foothold on the system - even with minimal privileges - can fully compromise the host. This is especially dangerous in containerized environments, where the vulnerability can allow a container escape.

The flaw has a CVSS score of 7.8 (High) with a low attack complexity and no user interaction required.

Remediation

The Linux kernel fix for CVE-2022-0492 is included in version 5.18-rc2 and has been backported to most stable kernel releases. All major Linux distributions have released patches.

Immediate actions:

1. Update your kernel to the latest patched version from your distribution vendor.
2. If you run containers, ensure the container runtime is configured to disable cgroups v1 or restrict the release_agent feature.
3. As a mitigation, add cgroup_no_v1=net_prio,net_cls,hugetlb,memory,pids,rdma,misc to your kernel boot parameters to disable cgroups v1 entirely.

Security Insight

CVE-2022-0492 highlights a recurring pattern: legacy Linux kernel features (cgroups v1) often lack the hardening applied to their modern counterparts (cgroups v2). This vulnerability is reminiscent of the 2021 CVE-2021-22555, another cgroups flaw used for container escape. Both demonstrate that maintaining backward compatibility with older kernel subsystems carries real security debt. Organizations still running cgroups v1 should treat this as a strong signal to migrate to cgroups v2, which by default restricts release_agent functionality.

For more context on recent kernel threats, see:

• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Nine CrackArmor Flaws in Linux AppArmor Enable Root

Further Reading

• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Nine CrackArmor Flaws in Linux AppArmor Enable Root
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs