7JUN

Old Linux container bug back in the wild

3 min read

10:08UTC

CISA listed a four-year-old Linux cgroups container-escape flaw and an Android CVSS 8.4 privilege bug on 2 June, both with a 5 June deadline. The spread across container infrastructure and a mobile handset, not any single entry, is the signal.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A 2022 Linux container escape and a current Android privilege bug are under active attack, both due by 5 June.

CISA added two flaws to its Known Exploited Vulnerabilities (KEV) catalogue on 2 June 2026 with a tight 5 June deadline ¹. The older one, CVE-2022-0492, is a four-year-old Linux cgroups bug, where cgroups are the kernel feature that fences off container resources; it lets a process break out of its container and reach root on the host underneath.

Alongside it sat CVE-2025-48595, a CVSS 8.4 integer-overflow elevation-of-privilege flaw across Android 14, 15 and 16, which lets an attacker already on the device climb to higher rights through a malicious app ². A container runtime and a mobile handset in one listing capture the breadth of the problem: the Office bug CISA surfaced in April had sat dormant for 17 years before exploitation , the same dynamic by which a 2022 kernel flaw resurfaces now.

For a defender triaging this batch, the cgroups entry is the more dangerous of the two. Cloud and Kubernetes estates run thousands of containers on shared hosts, and an escape to root on the host collapses the isolation those workloads depend on. CISA gave it three days where the WebLogic flaw in the same week got 21, because an attacker breaking out of a container moves faster than a patched maintenance window allows. The fix assumed applied in 2022 is the one to confirm first.

Deep Analysis

In plain English

Containers are a technology that lets software applications run in isolated boxes on a shared server, similar to having separate apartments in one building. CVE-2022-0492 is a four-year-old flaw that lets a malicious application inside one of these containers break out and take control of the entire server, the equivalent of a tenant breaking into the building's boiler room. CVE-2025-48595 affects Android phones running versions 14, 15 and 16. A malicious app downloaded from outside the Play Store (or a compromised legitimate app) can use this flaw to gain administrator-level control of the phone, giving it access to calls, messages, camera and location data without the owner's knowledge. Both flaws were added to CISA's urgent-action list on 2 June with a 5 June deadline.

Deep Analysis

Root Causes

Linux cgroups v1 exposes the release_agent mechanism for legitimate resource-cleanup purposes when containers exit. The kernel does not validate whether the process writing to release_agent has sufficient privilege relative to the host namespace; it relies on the container runtime (Docker, containerd) and the orchestrator (Kubernetes) to apply controls at a higher layer. When those higher-layer controls are absent or misconfigured, the cgroups subsystem itself provides no defence.

On Android, the integer-overflow class of vulnerability in CVE-2025-48595 affects the Android Framework layer, the Java-based abstraction above the Linux kernel that manages application permissions and inter-process communication.

Integer overflows in permission-boundary calculations enable an application to claim capabilities not granted at install time, bypassing both Google Play Protect attestation and Android's mandatory access control (SELinux) where the overflow corrupts a capability index rather than directly overwriting a protected region.

What could happen next?

Risk
Docker and containerd environments without Pod Security Admission enforcement or Falco runtime monitoring remain exposed to the CVE-2022-0492 container-escape, which provides a direct root-on-host path for any attacker with code execution inside a container.
Immediate · Assessed
Risk
Android Enterprise Recommended fleet operators face a patch-compliance window measured in days for CVE-2025-48595, as KEV-listed Android EoP flaws may trigger mobile device management (MDM) quarantine policies that lock out unpatched devices.
Immediate · Assessed
Consequence
The pairing of a Linux kernel flaw with an Android framework flaw in a single 5 June deadline batch reflects CISA's move toward OS-agnostic KEV batching, which compresses the patch-resource contention for enterprise security teams managing both server and mobile fleets simultaneously.
Short term · Suggested

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2019-5736, the runc container-escape flaw discovered by Dragos Researcher Adam Iwaniuk and Borys Poplaw, allowed any container with write access to the host runc binary to overwrite it and execute arbitrary code at host root.

The 2019 case triggered emergency patching cycles across AWS Elastic Container Service, Google Kubernetes Engine and Azure Container Instances within 72 hours; CVE-2022-0492 exploits the same fundamental trust boundary between cgroups namespace isolation and the host kernel, but via a different mechanism.

Counter-parallel: The 2022 disclosure and patch of CVE-2022-0492 itself generated rapid vendor response: Red Hat Enterprise Linux, Ubuntu, and Debian all shipped kernel patches within a week of the February 2022 disclosure, and the Kubernetes project updated Pod Security Policy defaults to block the release_agent write.

The four-year lag to KEV listing therefore does not reflect slow vendor patching; it reflects CISA's exploitation-confirmation threshold being met only in 2026, suggesting threat actors revisited the flaw against targets where the 2022 patch had not been applied.

Container-escape vulnerabilities command among the highest premiums in the zero-day brokerage market: Zerodium's published acquisition price for an unpatched Linux container-escape with local-to-root capability runs at $500,000-$1 million, reflecting the density of container deployments in cloud-native enterprise infrastructure.

The Android EoP market runs lower, $100,000-$250,000 for local privilege escalation without a prior exploit chain, reflecting the additional steps required to monetise device access versus server access.

For enterprise Android deployments in regulated industries, CVE-2025-48595 carries Google Mobile Services certification risk: Android Enterprise Recommended (AER) device fleets may face policy-compliance failures if fleet management vendors classify KEV-listed EoP flaws as a disqualifying security posture.

Consensus view: Trail of Bits and Google's Project Zero both categorise CVE-2022-0492 as a cgroups v1 namespace-escape vulnerability that bypasses the seccomp and AppArmor syscall filters typically applied to containerised workloads.

The flaw exploits the release_agent mechanism: a process inside a container can write to the host's cgroup release_agent file and execute arbitrary commands at host root when the container exits. Runtime tools such as Falco can detect the anomalous cgroup_write syscall, but only if the Falco ruleset has been updated post-February 2022; legacy rulesets predating the patch are blind.

Counter-view: China's National Vulnerability Database (CNNVD, under the CNITSEC ministry) rated CVE-2022-0492's real-world exploitability as lower than CISA's KEV listing implies, on the grounds that most production container orchestration environments running Kubernetes with enforced Pod Security Admission (PSA) restrict the privileged container capabilities required for the release_agent write.

CNNVD's position: the KEV designation overstates population-level risk for hardened Kubernetes clusters while underselling it for bare-metal Docker deployments.

Key tension: Whether the spike in KEV-listing of four-year-old Linux kernel flaws reflects genuine novel exploitation campaigns or CISA attempting to clear a backlog of known-but-not-formally-catalogued flaws before proposed budget cuts reduce the KEV team's capacity to process incoming exploitation reports.

Sources:CISA·BleepingComputer

Mentions:CVE-2022-0492 →CVE-2025-48595 →CISA →CVE-2023-50224 →CVE-2026-48172 →Drupal →Known Exploited Vulnerabilities →Azure →Google →China →Android →Linux cgroups →

First Reported In

Update #6 · The 2024 patch that is breaking now

CISA· 7 Jun 2026

Read original →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.