Detect Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) in Google Chronicle
CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2022_0492_cgroup_release_agent {
meta:
author = "df00tech"
description = "Detects CVE-2022-0492 cgroup v1 release_agent exploitation"
severity = "CRITICAL"
priority = "HIGH"
cve = "CVE-2022-0492"
mitre_attack = "T1611"
events:
(
$e1.metadata.event_type = "PROCESS_LAUNCH" and
(
$e1.principal.process.file.full_path = /unshare|nsenter/ and
$e1.principal.process.command_line = /cgroup/
) or
(
$e1.principal.process.command_line = /release_agent|notify_on_release/
)
) or
(
$e1.metadata.event_type = "FILE_MODIFICATION" and
$e1.target.file.full_path = /\/sys\/fs\/cgroup\/.+\/release_agent/
)
condition:
$e1
}Chronicle YARA-L rule detecting CVE-2022-0492 exploitation through cgroup release_agent file modifications and process command-line patterns involving namespace manipulation and cgroup path references.
Data Sources
Required Tables
False Positives & Tuning
- Approved container runtimes performing cgroup lifecycle management during container teardown
- Infrastructure automation tools that manage cgroup hierarchies for resource limits
- Authorized red team or penetration testing activities with documented scope
- Kernel version upgrades or patching operations involving cgroup subsystem changes
Other platforms for CVE-2022-0492
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)
Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace
- Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent
Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files
- Test 3Container escape simulation via cgroup release_agent (lab environment)
Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host
Unlock Pro Content
Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.