Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832725 (CVE-2022-0492) - sys-kernel/gentoo-sources kernel/cgroup/cgroup-v1.c - privesc in cgroup_release_agent_write (CVE-2022-0492)
Summary: sys-kernel/gentoo-sources kernel/cgroup/cgroup-v1.c - privesc in cgroup_relea...
Alias: CVE-2022-0492
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Keywords: SECURITY
Depends on:
Reported: 2022-02-04 22:23 UTC by Hank Leininger
Modified: 2022-08-16 22:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2022-02-04 22:23:46 UTC

"It has been discovered that under certain circumstances, the Linux kernel's
cgroups v1 release_agent feature can be used to escalate privilege and
bypass namespace isolation unexpectedly.

CVE-2022-0492 has been assigned to this issue, which is corrected by
requiring CAP_SYS_ADMIN in the initial user namespace when setting
release_agent. This has been included upstream in commit


"The cgroup release_agent is called with call_usermodehelper.  The function
call_usermodehelper starts the release_agent with a full set fo capabilities.
Therefore require capabilities when setting the release_agaent."

AIUI, that means anyone who can call cgroup_release_agent_write can end up with all capabilities, prior to the fix?

Some minor spelunking showed that cgroup_release_agent_write appeared in more-or-less its current form in 2008. So any Linux kernel from v2.6.26 onward, with CONFIG_CGROUPS, may be vulnerable?
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-16 22:59:34 UTC
$ fix_in_what_release 24f6008564183aa120d07c03d9289519c2fe02af
4.9.301 4.14.266 4.19.229 5.4.177 5.10.97 5.15.20 5.16.6

I can't find a security-supported kernel that has any vulnerable version, and since we don't issue GLSAs for kernels, we should be all done here.