CVE-2022-0492 Splunk · SPL

Detect Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) in Splunk

CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

SPL Detection Query

Splunk (SPL)
spl 
index=linux_security sourcetype IN ("sysmon_linux", "auditd", "osquery")
(
  (EventCode=11 OR event_type="WRITE" OR event_type="OPEN")
  TargetFilename IN ("/sys/fs/cgroup/*/release_agent", "/sys/fs/cgroup/memory/release_agent", "/sys/fs/cgroup/cpu/release_agent")
)
OR
(
  (EventCode=1 OR event_type="execve")
  (
    (process IN ("sh","bash","dash") CommandLine="*release_agent*")
    OR (process IN ("unshare","nsenter") CommandLine="*/sys/fs/cgroup*")
    OR CommandLine="*notify_on_release*"
  )
)
| eval risk_score=case(
    match(TargetFilename,"release_agent"), 95,
    match(CommandLine,"unshare.*cgroup"), 85,
    true(), 70
  )
| eval cve="CVE-2022-0492"
| table _time, host, user, process, CommandLine, TargetFilename, risk_score, cve
| sort -risk_score
critical severity high confidence

SPL query detecting file writes to cgroup release_agent paths, shell executions referencing release_agent, and namespace manipulation (unshare/nsenter) combined with cgroup access indicative of CVE-2022-0492.

Data Sources

Linux Sysmonauditdosquery

Required Sourcetypes

sysmon_linuxauditdosquery

False Positives & Tuning

  • Container orchestration systems (Kubernetes kubelet, Docker daemon) performing legitimate cgroup lifecycle management
  • System tuning scripts that configure cgroup release behavior
  • Security testing or red team exercises against non-production systems
  • Kernel developers testing cgroup functionality in controlled environments

Other platforms for CVE-2022-0492

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)

    Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace

  2. Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent

    Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files

  3. Test 3Container escape simulation via cgroup release_agent (lab environment)

    Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1611Escape to HostT1548.001Setuid and SetgidT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections