CVE-2022-0492 Sumo Logic CSE · Sumo

Detect Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) in Sumo Logic CSE

CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux* OR _sourceCategory=auditd OR _sourceCategory=sysmon
| where (%"filepath" matches "/sys/fs/cgroup/*/release_agent"
  OR %"cmdline" matches "*release_agent*"
  OR %"cmdline" matches "*notify_on_release*"
  OR (%"process" in ("unshare", "nsenter") and %"cmdline" matches "*cgroup*"))
| eval severity = if(%"filepath" matches "*release_agent*", "CRITICAL", "HIGH")
| eval cve = "CVE-2022-0492"
| count by _sourceHost, %"user", %"process", %"cmdline", %"filepath", severity, cve
| order by _count desc
critical severity medium confidence

Sumo Logic query detecting cgroup v1 release_agent writes and associated namespace manipulation commands indicating CVE-2022-0492 exploitation attempts.

Data Sources

Linux auditdSysmon for LinuxSumo Logic Installed Collector

Required Tables

linux_auditsysmon_linux

False Positives & Tuning

  • Container runtime processes performing normal cgroup cleanup operations
  • Automated infrastructure scripts managing cgroup hierarchies
  • Kubernetes daemonsets or node-level agents with cgroup access permissions
  • Security monitoring agents that enumerate cgroup configurations

Other platforms for CVE-2022-0492

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)

    Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace

  2. Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent

    Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files

  3. Test 3Container escape simulation via cgroup release_agent (lab environment)

    Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1611Escape to HostT1548.001Setuid and SetgidT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections