CISA added CVE-2022-0492 to the Known Exploited Vulnerabilities catalog on June 2, 2026. The CVE number tells you it was reserved in 2022. It was published on March 3, 2022. It is a Linux kernel privilege-escalation and container-escape bug in cgroup_release_agent_write, in kernel/cgroup/cgroup-v1.c. Four years old, patched long ago, and now it’s on the list of things the U.S. government tells federal agencies to fix on a deadline.
That gap — four years between disclosure and KEV — is the whole story. Not the bug.
What the bug actually is
Short version: cgroups v1 has a release_agent file. When the last process in a cgroup exits, the kernel runs the program named in release_agent, as root, in the host’s namespaces. Writing to that file normally requires CAP_SYS_ADMIN in the initial user namespace. Under certain configurations — a container running with CAP_SYS_ADMIN, or a user namespace where the cgroup filesystem can be mounted — an attacker inside a container can point release_agent at their own script and get it executed on the host as root.
That’s a container escape. Confidentiality, integrity, availability all High. The CVSS v3.1 base is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Local vector, low complexity, low privileges required. The “local” part is doing a lot of work — for a multi-tenant container platform, “local” means “anyone who can land a workload.”
The fix has been in mainline and every serious distro kernel for years. If you patch, this doesn’t touch you.
Why a 2022 bug shows up on KEV in 2026
KEV is not a list of new bugs. It is a list of bugs with observed exploitation. A CVE lands there when CISA has evidence it’s being used against real targets, regardless of age. The knownRansomwareCampaignUse field for this one says Unknown, and the due date CISA set (June 5, 2026) is three days after it was added — the deadline is effectively “you should already have done this.”
Three things make old kernel CVEs KEV material years later:
- Container platforms age in place. A node pool provisioned in 2022 with a golden image nobody rebuilt is still running a 2022 kernel. The bug shipped, the patch shipped, and the machine never got the memo.
- Local-privilege bugs are chain links, not headliners. Nobody writes a breach report titled “container escape.” They write “initial access via exposed API, then privilege escalation to host, then lateral movement.” CVE-2022-0492 is the middle step. It becomes exploited-in-the-wild when the front door bugs it pairs with get common enough.
- Detection catches up to exploitation. KEV additions often lag the actual first use because it takes time for incident responders to see the same TTP enough times to attribute a specific CVE.
The practitioner takeaway
If you manage vulnerabilities by “how new is it,” KEV keeps embarrassing you. A four-year-old CVE at CVSS 7.8 will sit below this week’s 9.8s in every dashboard sorted by severity and date. KEV inverts that: exploitation is the signal, and exploitation doesn’t respect publication dates.
Concretely:
-
Sort remediation by exploited-in-wild first, CVSS second. KEV membership and a decent EPSS score should outrank a higher raw CVSS on something nobody is using. A 7.8 on KEV beats a 9.1 with no exploitation evidence. This is the entire argument for risk-based vulnerability management over score-based.
-
Your kernel version is an asset, and you probably don’t inventory it. Ask yourself right now: what kernel is running on your oldest node pool, your CI runners, your one legacy VM that “we’ll migrate next quarter”? If you can’t answer in under a minute, that’s the finding. cgroups v1 is still in use on plenty of these. Newer stacks on cgroups v2 aren’t exposed to this specific path, which is another reason to know what you’re running.
-
Container escapes are a
CAP_SYS_ADMINand privileged-container problem. The durable mitigation isn’t just patching the kernel — it’s not handing workloadsCAP_SYS_ADMIN, not running privileged containers, and using user namespaces, seccomp, and AppArmor/SELinux so that even an unpatched kernel path is harder to reach. Defense in depth means the patch and the container configuration both have to fail before you lose the host. -
KEV is a free feed. Wire it in. The catalog is a JSON file CISA publishes. Diffing it against your asset inventory on a schedule is a few lines of code. If a KEV addition matches something you run, that’s an alert, not a newsletter item you skim.
The uncomfortable part
The reason this CVE matters isn’t that it’s clever. It’s that somewhere, right now, there are container nodes running a 2022 kernel because patching them was never anybody’s job. The bug is a symptom. The disease is a vulnerability program that measures freshness instead of exposure, and an asset inventory that stops at the application layer and never looks at the kernel underneath.
Old CVEs don’t die. They wait in your backlog until someone starts exploiting them, and then CISA writes their name on a list and gives you three days.