CVE-2022-0492 Elastic Security · Elastic

Detect Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) in Elastic Security

CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=2m
  [
    process where event.type == "start" and
    (
      process.name in ("unshare", "nsenter") or
      process.args : ("/sys/fs/cgroup*", "*release_agent*", "*notify_on_release*")
    )
  ] by process.pid
  [
    file where event.action in ("creation", "overwrite") and
    file.path : "/sys/fs/cgroup/*/release_agent"
  ] by process.pid
  [
    process where event.type == "start" and
    process.parent.name in ("runc", "containerd-shim", "sh", "bash")
    and process.user.id == "0"
  ] by process.parent.pid
critical severity medium confidence

EQL sequence detecting the three-stage pattern of CVE-2022-0492 exploitation: namespace manipulation → release_agent file write → privileged process execution, correlated by process ID within a 2-minute window.

Data Sources

Elastic Endpointauditbeatfilebeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*

False Positives & Tuning

  • Automated container management platforms triggering cgroup cleanup handlers
  • Security scanning tools exercising cgroup filesystem paths
  • Legitimate privilege transitions during container startup orchestrated by trusted runtimes
  • Kernel module testing in development environments

Other platforms for CVE-2022-0492

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)

    Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace

  2. Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent

    Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files

  3. Test 3Container escape simulation via cgroup release_agent (lab environment)

    Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1611Escape to HostT1548.001Setuid and SetgidT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections