CVE-2022-0492
📋 TL;DR
CVE-2022-0492 is a Linux kernel vulnerability in the cgroups v1 release_agent feature that allows local attackers to escalate privileges and escape container namespaces. This affects Linux systems using cgroups v1 with the release_agent enabled, particularly containerized environments like Docker. Attackers can gain root access on the host system from within a container.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Codeready Linux Builder For Power Little Endian by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian →
Codeready Linux Builder For Power Little Endian by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Real Time For Nfv Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv Tus →
Enterprise Linux For Real Time For Nfv Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv Tus →
Enterprise Linux For Real Time Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time Tus →
Enterprise Linux For Real Time Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time Tus →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Fedora by Fedoraproject
H300e by Netapp
H300s by Netapp
H410c by Netapp
H410s by Netapp
H500e by Netapp
H500s by Netapp
H700e by Netapp
H700s by Netapp
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Solidfire \& Hci Management Node by Netapp
Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp
View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full container escape leading to complete host compromise, allowing attackers to execute arbitrary code as root on the underlying host system.
Likely Case
Privilege escalation within container environments, enabling attackers to break out of container isolation and access other containers or the host.
If Mitigated
Limited impact if cgroups v1 release_agent is disabled or proper security controls restrict cgroup access.
🎯 Exploit Status
Exploit requires local access and ability to write to cgroup files. Multiple public exploits exist demonstrating container escape.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.16.11, 5.15.28, 5.10.102, 5.4.177, 4.19.232 or later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2051505
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. For container hosts, ensure Docker/container runtime is restarted after kernel update.
🔧 Temporary Workarounds
Disable cgroups v1 release_agent
linuxDisable the vulnerable cgroups v1 release_agent feature
echo 0 > /sys/fs/cgroup/release_agent
mount -o remount,ro /sys/fs/cgroup
Use cgroups v2
linuxSwitch to cgroups v2 which is not vulnerable
Add 'systemd.unified_cgroup_hierarchy=1' to kernel boot parameters
🧯 If You Can't Patch
- Disable cgroups v1 release_agent feature on all systems
- Implement strict access controls to prevent unauthorized users from writing to cgroup files
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r. If below patched versions and cgroups v1 release_agent is enabled, system is vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r should show 5.16.11+, 5.15.28+, 5.10.102+, 5.4.177+, or 4.19.232+📡 Detection & Monitoring
Log Indicators:
- Unusual cgroup file writes
- Suspicious container escape attempts
- Unexpected privilege escalation events
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("cgroup" OR "release_agent") AND ("write" OR "modify")🔗 References
- http://packetstormsecurity.com/files/166444/Kernel-Live-Patch-Security-Notice-LSN-0085-1.html
- http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html
- http://packetstormsecurity.com/files/176099/Docker-cgroups-Container-Escape.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2051505
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af
- https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
- https://security.netapp.com/advisory/ntap-20220419-0002/
- https://www.debian.org/security/2022/dsa-5095
- https://www.debian.org/security/2022/dsa-5096
- http://packetstormsecurity.com/files/166444/Kernel-Live-Patch-Security-Notice-LSN-0085-1.html
- http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html
- http://packetstormsecurity.com/files/176099/Docker-cgroups-Container-Escape.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2051505
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af
- https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
- https://security.netapp.com/advisory/ntap-20220419-0002/
- https://www.debian.org/security/2022/dsa-5095
- https://www.debian.org/security/2022/dsa-5096
