From https://marc.info/?l=oss-security&m=164399879422272&w=4: "It has been discovered that under certain circumstances, the Linux kernel's cgroups v1 release_agent feature can be used to escalate privilege and bypass namespace isolation unexpectedly. CVE-2022-0492 has been assigned to this issue, which is corrected by requiring CAP_SYS_ADMIN in the initial user namespace when setting release_agent. This has been included upstream in commit 24f6008564183aa120d07c03d9289519c2fe02af." From https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af: "The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent." AIUI, that means anyone who can call cgroup_release_agent_write can end up with all capabilities, prior to the fix? Some minor spelunking showed that cgroup_release_agent_write appeared in more-or-less its current form in 2008. So any Linux kernel from v2.6.26 onward, with CONFIG_CGROUPS, may be vulnerable?
$ fix_in_what_release 24f6008564183aa120d07c03d9289519c2fe02af 4.9.301 4.14.266 4.19.229 5.4.177 5.10.97 5.15.20 5.16.6 I can't find a security-supported kernel that has any vulnerable version, and since we don't issue GLSAs for kernels, we should be all done here.
