The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on a critical Linux kernel vulnerability, identified as CVE-2022-0492, which has been added to its Known Exploited Vulnerabilities catalog. This vulnerability, stemming from improper authentication, is actively being exploited in the wild and presents a significant risk to systems using the cgroups v1 release_agent feature. The flaw arises from insufficient validation and authentication controls within the Linux kernel's cgroups mechanism. Exploiting this vulnerability enables a local attacker to manipulate the release_agent functionality, intended to execute a script when a cgroup becomes empty, to run arbitrary commands with elevated privileges. This can allow attackers to escape from containerized environments and gain root-level access on the host system.

Security experts have highlighted that this vulnerability poses a considerable threat to containerized and cloud-native environments where cgroups are extensively used. If systems are misconfigured or unpatched, attackers who have already accessed a compromised container could break out and control the underlying host. This trend of targeting container escape vulnerabilities is part of a broader strategy by attackers to move laterally within cloud infrastructures.

CISA has issued a mandate for federal agencies to address this vulnerability by June 5, 2026, under the Binding Operational Directive 22-01. This directive requires the application of vendor-provided patches or mitigations to minimize exposure. Organizations using affected Linux systems are urged to adopt similar timelines to avoid increased risk of compromise. Mitigation strategies include updating the Linux kernel to a patched version that resolves the release_agent issue, disabling unprivileged user namespaces where possible, and restricting access to cgroup configurations. Additionally, security teams should audit container environments and monitor suspicious cgroup-related activities, which may indicate exploitation attempts.

This inclusion in the KEV catalog highlights the persistent threat of privilege-escalation vulnerabilities in widely deployed open-source components. As attackers increasingly focus on foundational technologies like the Linux kernel, timely patching and proactive monitoring are crucial to protect enterprise and cloud environments against evolving threats.