CVE-2022-0492: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2022-0492) was discovered in the Linux kernel's cgroupreleaseagentwrite function in kernel/cgroup/cgroup-v1.c. The flaw, identified in early 2022, allows attackers to use the cgroups v1 releaseagent feature to escalate privileges and bypass namespace isolation under certain circumstances. The vulnerability affects Linux kernel versions through 5.17-rc2 (NVD, Sysdig Blog).

The vulnerability exists in the cgroupreleaseagentwrite function where the releaseagent gets called with all capabilities. When exploited, attackers can mount cgroupfs in new users' namespaces and edit the release_agent file, which allows for privilege escalation. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability can lead to privilege escalation, allowing attackers to escape container environments and gain root privileges on the host system. The flaw can also be used to bypass namespace isolation, potentially compromising the security boundaries between containers (Sysdig Blog).

The vulnerability was patched in Linux kernel version 5.17 rc3 with a fix that requires capabilities to set release_agent. For systems that cannot be immediately patched, ensuring that containers run with SELinux, AppArmor, or Seccomp enabled provides protection against this vulnerability. Additionally, implementing admission control policies can prevent the deployment of containers with disabled security features (Kernel Commit, Sysdig Blog).