Today is a public holiday in Sweden. CVE-2022-0492 does not care. CISA added it to the Known Exploited Vulnerabilities catalog on June 2, 2026, with a patch deadline of June 5. That deadline has passed, and active attacks against unpatched container hosts are confirmed.

If you run Docker, Kubernetes, or LXC on a host using cgroups v1, and you have not applied kernel patches from 2022, read this now.

The bug

CVE-2022-0492 is a logic bug in kernel/cgroup/cgroup-v1.c. The affected code path handles the release_agent feature in cgroups v1. When a cgroup hierarchy is set up and the last process in a cgroup exits, the kernel can execute a user-specified binary as the release agent.

The bug: the kernel fails to verify that the calling process has the required capability (CAP_SYS_ADMIN) in the initial user namespace before allowing a write to release_agent. A process inside a container can write to this file and set an arbitrary path as the release agent. The kernel then executes that path as root on the host when a cgroup becomes empty.

The result is a full container escape to host root. No vulnerability in the container runtime itself is required. The bug is in the kernel.

Who is affected

Container hosts running:

  • Docker, Kubernetes, or LXC
  • A Linux kernel before the February 2022 patch
  • cgroups v1 (or a kernel configured with both v1 and v2, where v1 is still accessible)

Most modern distributions shipped the fix in their February or March 2022 kernel updates:

  • Ubuntu 20.04 and later: patched in kernel 5.4.0-104 and later
  • RHEL 8 and later: patched in kernel 4.18.0-348 and later
  • Debian 11 (Bullseye): patched in kernel 5.10.103-1 and later

The risk is not that a modern OS ships an old kernel. The risk is that many servers running those distributions have not had apt upgrade or yum update run in years. The patch exists. Whether it has been applied is a different question.

Legacy enterprise servers running RHEL 7, CentOS 7, or Ubuntu 18.04 are at higher risk. Kernel patch availability varies and support windows have ended or are ending.

How to check

Check your running kernel version:

uname -r

Check whether cgroups v1 is in use:

grep cgroup /proc/mounts | grep -v cgroup2

If the second command returns output, cgroups v1 is mounted on your host.

For Docker specifically, check the cgroup driver in use:

docker info | grep "Cgroup"

cgroupfs with v1 is the relevant case. systemd with cgroups v2 is not affected by this specific vulnerability.

CISA KEV and FCEB deadline

CISA added CVE-2022-0492 to the Known Exploited Vulnerabilities catalog on June 2, 2026 (CISA KEV 2026). The mandatory remediation deadline for U.S. Federal Civilian Executive Branch agencies was June 5, 2026. That deadline has passed.

The KEV listing confirms active exploitation in the wild. This is not theoretical.

The CISA KEV catalog entry: cisa.gov/known-exploited-vulnerabilities-catalog

What to do

  1. Check your kernel version against the patched versions listed above.
  2. If the kernel is unpatched, apply pending security updates and reboot.
  3. If immediate patching is not possible, disable cgroups v1 release agent functionality or migrate to cgroups v2. On systemd-based systems, cgroups v2 is the default in recent releases -- verify with stat -f /sys/fs/cgroup.
  4. For Kubernetes clusters, confirm the node kernel versions across all nodes. A patched control plane with unpatched worker nodes is still vulnerable.

Rebooting into the new kernel is required. Updating the package is not enough.