Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2022-0492 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2022-0492 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2022-0492 is a privilege escalation vulnerability in the Linux Kernel, specifically within the cgroups v1 release_agent feature, caused by improper authentication controls.

Technical Detail

The flaw exists in how the Linux Kernel handles the release_agent file in cgroups v1, where insufficient permission checks allow an unprivileged or container-scoped user to write to the release_agent path and trigger execution of an arbitrary program with elevated privileges on the host. An attacker with access to a cgroup namespace, including those operating from within a container environment, can exploit this to escape container boundaries and achieve full root-level privilege escalation on the underlying host. The impact is complete local privilege escalation, and in containerized deployments, this constitutes a container escape leading to host compromise.

Exploitation Status

The exploit maturity for this vulnerability is rated Operational, meaning functional exploit code exists and has been demonstrated in real-world attack conditions, not merely as a proof of concept. CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 2, 2026. Organizations running affected Linux Kernel versions in containerized or multi-tenant environments should treat this as an actively weaponized threat requiring immediate remediation.

Who Is Targeting This

Confirmed (ATTAX-verified): APT38 (DPRK, nation-state motivation), Dragonfly (Russia, nation-state motivation), Mustang Panda (China, nation-state motivation), APT39 (Iran, nation-state motivation), and OilRig (Iran, nation-state motivation) have all been attributed with high confidence to exploitation activity involving this vulnerability. Reported (research-inferred): No additional public attribution has been identified beyond the confirmed actors listed above.

What To Do

Organizations should prioritize patching the Linux Kernel to a version that addresses CVE-2022-0492 immediately. Per CISA's Known Exploited Vulnerabilities catalog requirements, federal agencies and organizations following BOD 22-01 guidance should apply patches or implement documented mitigations without delay, as the KEV listing date of June 2, 2026 triggers binding remediation timelines. As an interim workaround, administrators can disable or restrict access to cgroups v1 release_agent functionality where operationally feasible, and enforce strict namespace isolation policies. Container environments should be audited to ensure unprivileged users cannot access or modify cgroup hierarchies. Detection efforts should focus on anomalous writes to release_agent paths, unexpected process execution from cgroup contexts, and privilege escalation events originating from container namespaces.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →