CVE-2022-0492: Privilege Escalation and Container Escape via cgroups v1 release_agent
Vulnerability ID: CVE-2022-0492
CVSS Score: 7.8
Published: 2022-03-03
CVE-2022-0492 is a high-severity missing authorization vulnerability in the Linux kernel's Control Groups (cgroups) v1 implementation. The flaw resides within the cgroup_release_agent_write function in kernel/cgroup/cgroup-v1.c, where the kernel fails to validate if the process writing to the release_agent file possesses administrative capabilities in the initial user namespace. This allows a local attacker inside a container with root privileges (UID 0) to abuse user namespaces, mount a cgroups v1 directory, modify the release_agent parameter, and execute arbitrary commands on the host system as host root, effectively achieving a complete container escape.
TL;DR
A privilege validation omission in the Linux kernel's cgroups v1 release_agent allows containerized processes with root access to bypass namespace isolation and execute arbitrary commands on the host as host root using user namespaces.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-862
- Attack Vector: Local
- CVSS v3.1 Score: 7.8
- EPSS Score: 0.28124 (Percentile: 96.58%)
- Exploit Status: Active / Weaponized
- CISA KEV Status: Listed (Added 2026-06-02)
Affected Systems
- Linux Kernel
- Kubernetes Clusters
- Docker Runtimes
- Debian GNU/Linux
- Red Hat Enterprise Linux
- Ubuntu Linux
- Fedora Linux
- NetApp Storage Solutions
-
Linux Kernel: >= 2.6.24, < 5.17 (Fixed in:
5.17-rc3 / 24f6008564183aa120d07c03d9289519c2fe02af)
Code Analysis
Commit: 24f6008
cgroup-v1: Require capabilities to set release_agent
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -549,6 +549,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ /*
+ * Release agent gets called with all capabilities,
+ * require capabilities to set release agent.
+ */
+ if ((of->file->f_cred->user_ns != &init_user_ns) ||
+ !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
cgrp = cgroup_kn_lock_live(of->kn, false);
if (!cgrp)
return -ENODEV;
@@ -954,6 +962,12 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
/* Specifying two release agents is forbidden */
if (ctx->release_agent)
return invalfc(fc, "release_agent respecified");
+ /*
+ * Release agent gets called with all capabilities,
+ * require capabilities to set release agent.
+ */
+ if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
+ return invalfc(fc, "Setting release_agent not allowed");
ctx->release_agent = param->string;
param->string = NULL;
break;
Exploit Details
- GitHub (PaloAltoNetworks): Vulnerability detection script testing susceptibility using user namespaces and memory cgroups.
- GitHub (chenaotian): Detailed exploit script automate container breakout via cgroups release_agent.
Mitigation Strategies
- Upgrade the Linux kernel to version 5.17, or apply backported patches for LTS kernels.
- Enable and enforce default Seccomp profiles to block the unshare system call.
- Configure AppArmor or SELinux policies to restrict mounting operations inside containers.
- Disable unprivileged user namespace creation using sysctl configuration parameters.
Remediation Steps:
- Verify the current kernel version using: uname -r
- Update host operating system packages using the distribution's package manager (e.g., yum update kernel or apt-get install --only-upgrade linux-image-generic).
- To mitigate immediately without a reboot, disable unprivileged user namespaces: sysctl -w kernel.unprivileged_userns_clone=0
- For Kubernetes clusters, enforce Pod Security Standards to ensure pods run with restricted security profiles and do not run as root.
References
- NVD - CVE-2022-0492
- CVE.org Record
- Red Hat Bug Tracker
- NetApp Security Advisory
- Debian Security Advisory
Read the full report for CVE-2022-0492 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)