CVE-2022-0811
published 2022-03-16CVE-2022-0811: A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
18.56%
96.9th percentile
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | cri-o_cri-o | >= 1.19.0 < 1.19.6 | 1.19.6 |
| github.com | cri-o_cri-o | >= 1.20.0 < 1.20.7 | 1.20.7 |
| github.com | cri-o_cri-o | >= 1.21.0 < 1.21.6 | 1.21.6 |
| github.com | cri-o_cri-o | >= 1.22.0 < 1.22.3 | 1.22.3 |
| github.com | cri-o_cri-o | >= 1.23.0 < 1.23.2 | 1.23.2 |
| kubernetes | cri-o | — | — |
| kubernetes | cri-o | >= 1.19.0 < 1.19.6 | 1.19.6 |
| kubernetes | cri-o | >= 1.20.0 < 1.20.7 | 1.20.7 |
| kubernetes | cri-o | >= 1.21.0 < 1.21.6 | 1.21.6 |
| kubernetes | cri-o | >= 1.22.0 < 1.22.3 | 1.22.3 |
| kubernetes | cri-o | >= 1.23.0 < 1.23.2 | 1.23.2 |
| msrc | cbl2_cri-o_1.22.3-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_cri-o_1.22.3-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag use of kernel-level sysctls (names prefixed with 'kernel.') in pod securityContext — a prerequisite condition for the exploit. ↗
- →Red Hat OpenShift Container Platform versions 4.6 and later are affected; OCP versions prior to 4.6 are not affected. ↗
- ·The vulnerability was introduced in CRI-O version 1.19 (September 2020); clusters running CRI-O older than 1.19 are not affected. ↗
- ·No in-the-wild exploitation had been reported at the time of CrowdStrike's disclosure on March 15, 2022. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
CRI-O: Arbitrary code execution in cri-o via abusing “kernel.core_pattern” kernel parameter
vendor_redhat·2022-03-15·CVSS 8.8
CVE-2022-0811 [HIGH] CWE-94 CRI-O: Arbitrary code execution in cri-o via abusing “kernel.core_pattern” kernel parameter
CRI-O: Arbitrary code execution in cri-o via abusing “kernel.core_pattern” kernel parameter
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.
Statement: OpenShift Container Platform (OCP) starting from version 4.6 is affected by this vulnerabili
Microsoft
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container es
vendor_msrc·2022-03-08·CVSS 8.8
CVE-2022-0811 [HIGH] CWE-94 A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container es
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See thi
OSV
Code Injection in CRI-O in github.com/cri-o/cri-o
osv·2024-08-21
CVE-2022-0811 Code Injection in CRI-O in github.com/cri-o/cri-o
Code Injection in CRI-O in github.com/cri-o/cri-o
Code Injection in CRI-O in github.com/cri-o/cri-o
OSV
Code Injection in CRI-O
osv·2022-03-15
CVE-2022-0811 [HIGH] Code Injection in CRI-O
Code Injection in CRI-O
### Impact
A flaw introduced in CRI-O version 1.19 which an attacker can use to bypass the safeguards and set arbitrary kernel parameters on the host. As a result, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the `kernel.core_pattern` kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
### Patches
The patches will be present in 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, 1.24.0
### Workarounds
- Users can set manage_ns_lifecycle to false, which causes the sysctls to be configured by the OCI runtime, which typically filter these cases. This option is available in 1.20 and 1.19. Newer versions don't have this option.
- An admission webhook could be created to d
GHSA
Code Injection in CRI-O
ghsa·2022-03-15
CVE-2022-0811 [HIGH] CWE-94 Code Injection in CRI-O
Code Injection in CRI-O
### Impact
A flaw introduced in CRI-O version 1.19 which an attacker can use to bypass the safeguards and set arbitrary kernel parameters on the host. As a result, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the `kernel.core_pattern` kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
### Patches
The patches will be present in 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, 1.24.0
### Workarounds
- Users can set manage_ns_lifecycle to false, which causes the sysctls to be configured by the OCI runtime, which typically filter these cases. This option is available in 1.20 and 1.19. Newer versions don't have this option.
- An admission webhook could be created to d
No detection rules found.
No public exploits indexed.
Tenable
Cr8escape: How Tenable Can Help (CVE-2022-0811)
blogs_tenable·2022-03-29·CVSS 8.8
[HIGH] Cr8escape: How Tenable Can Help (CVE-2022-0811)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
21st March – Threat Intelligence Report
blogs_checkpoint·2022-03-21
CVE-2022-0811 21st March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 21st March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 21st March, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has found sensitive data of a number of mobile applications exposed and available to anyone. By searching VirusTotal, CPR found 2113 mobile applications whose databases were unprotected and exposed throughout the course of a three month research study.
Check Point CloudGuard for Application Security prov
Crowdstrike
cr8escape: New Vulnerability in CRI-O Container Engine (CVE-2022-0811)
blogs_crowdstrike·CVSS 8.8
CVE-2022-0811 [HIGH] cr8escape: New Vulnerability in CRI-O Container Engine (CVE-2022-0811)
## cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)
## Kubernetes and CRI-O release patch for vulnerability today; CrowdStrike customers protected
March 15, 2022
2022-03-16
Published