The original write-up is linked from this post <a href="https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/" rel="nofollow">https://www.crowdstrike.com/blog/cr8escape-new-vulnerability...</a> - Good, lots of details on exact reproduction.<p>One idea for mitigation before you can get a patch out for this would be to use admission control (e.g. OPA/Kyverno) to block setting custom sysctls altogether or blocking the characters used in the attack. There's some notes on that <a href="https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability" rel="nofollow">https://blog.aquasec.com/cve-2022-0811-cri-o-vulnerability</a> and Kyverno have a mention of the finer grained policy <a href="https://twitter.com/kyverno/status/1504499323324678145" rel="nofollow">https://twitter.com/kyverno/status/1504499323324678145</a><p>One thing that's worth noting is that to exploit this the attacker needs create pod rights (or rights to create a workload type that then creates pods), so it's probably not critical for every cluster.