CVE-2022-0492

Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492)

Privilege Escalation Defense Evasion Execution Last updated:

CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Linux
Product
Kernel

Weakness (CWE)

CWE-287CWE-862

Timeline

Disclosed
June 2, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2022-0492 Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492)?

Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) (CVE-2022-0492) maps to the Privilege Escalation and Defense Evasion and Execution tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution
Microsoft Sentinel / Defender
kusto 
union
(
    DeviceProcessEvents
    | where FileName in~ ("sh", "bash", "dash") or ProcessCommandLine has_any ("/sys/fs/cgroup", "release_agent", "notify_on_release")
    | where ProcessCommandLine has_any ("release_agent", "notify_on_release", "/sys/fs/cgroup")
    | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ParentProcessName=InitiatingProcessFileName
),
(
    DeviceFileEvents
    | where FolderPath has "/sys/fs/cgroup"
    | where FileName in~ ("release_agent", "notify_on_release")
    | where ActionType in ("FileModified", "FileCreated")
    | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessCommandLine
),
(
    DeviceProcessEvents
    | where InitiatingProcessCommandLine has_any ("unshare", "nsenter") and ProcessCommandLine has "/sys/fs/cgroup"
    | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
)
| extend AlertDetail = "Potential CVE-2022-0492 cgroup v1 release_agent exploitation"
| order by TimeGenerated desc

Detects writes to cgroup v1 release_agent or notify_on_release pseudo-files, unshare/nsenter usage combined with cgroup path access, and shell processes referencing cgroup paths — all indicators of CVE-2022-0492 exploitation.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

  • Legitimate container runtimes (containerd, runc, podman) may interact with cgroup release_agent during normal lifecycle operations
  • System administrators performing cgroup configuration or tuning
  • Monitoring and observability agents reading cgroup filesystem metrics
  • CI/CD pipeline runners that manage container namespaces

Sigma rule & cross-platform mapping

The detection logic for Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) (CVE-2022-0492) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2022-0492 Sigma rules on detection.fyi

Platform-specific guides for CVE-2022-0492

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)

    Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace

  2. Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent

    Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files

  3. Test 3Container escape simulation via cgroup release_agent (lab environment)

    Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host

Unlock Pro Content

Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1611Escape to HostT1548.001Setuid and SetgidT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections