Broadly speaking, “Dirty Pipe” affects Linux-powered devices — which includes everything from Android phones and Chromebooks to Google Home devices like the Chromecasts, speakers, and displays. More specifically, the bug was introduced with Linux kernel version 5.8, released in 2020, and remained present in future releases. On the Android side of things, as noted by Ars Technica‘s Ron Amadeo, the damage potential of “Dirty Pipe” is far more limited. Most Android devices actually use an older version of the Linux kernel, unaffected by the exploit. Only devices that started their lives on Android 12 have a chance of being affected.
The security community has been buzzing about a new Linux exploit known as “Dirty Pipe,” which affects Android 12 devices such as the Galaxy S22 and Pixel 6. Here’s everything you need to know about “Dirty Pipe,” including which devices are affected by it and how to avoid it. “Dirty Pipe,” recently disclosed by Max Kellermann as vulnerability CVE-2022-0847, is a security exploit in certain recent versions of the Linux kernel. (The kernel is the heart of an operating system, serving as a conduit between applications and actual hardware.) In short, any app that can read files on your phone/computer — a permission that many Android apps request — has the potential to corrupt your files or run malicious code. This has already been demonstrated on Linux desktop/laptop versions.
Unfortunately, that means Android phones like the Google Pixel 6 series and Samsung Galaxy S22 series are both potentially at risk from “Dirty Pipe.” In fact, the developer who originally discovered the exploit was able to reproduce it on a Pixel 6 and reported it to Google. The easiest way to check whether your device is affected is to view your Linux kernel version. To do so, open the Settings app, open “About phone,” tap “Android version,” then look for “Kernel version.” If you see a version higher than 5.8 — and if Google hasn’t yet released a security patch — then your device is potentially at risk from the “Dirty Pipe” exploit.
The most recently spotted example (via Max Weinbach) shows Dirty Pipe being used to very quickly get root access on both the Pixel 6 and the Galaxy S22 using a proof-of-concept app. While the exploit had previously been confirmed to be possible on the Pixel 6, this demo, posted by Fire30, is the first to show Dirty Pipe in action on an Android phone. In addition to originally uncovering the “Dirty Pipe” exploit, Kellermann was also able to identify how to fix it, and submitted a fix to the Linux kernel project shortly after disclosing it privately. Two days later, newer builds of supported versions of the Linux kernel were released to include the fix.
To find this same information on Chrome OS, open a new tab and navigate to chrome://system and scroll down to “uname.” You should see something like the text below. If the number after “Linux localhost” is higher than 5.8, your device may be affected. As of now, there are no known instances of the “Dirty Pipe” exploit being abused to gain control over a phone or computer. That said, quite a few developers have shown proof-of-concept examples of how easily “Dirty Pipe” can be used. It’s surely only a matter of time before “Dirty Pipe”-based exploits begin appearing in the wild.
As previously mentioned, the “Dirty Pipe” exploit was also reported to Google’s Android Security Team in late February. Within days, Kellermann’s fix was added to Android source code, ensuring that future builds would be secure. The Chrome OS team followed suit in picking up the fix on March 7, with the fix seemingly poised to roll out potentially as a mid-cycle update to Chrome OS 99.
However, given how new both the exploit and the fix are, the issue does not appear to have been included in the March 2022 Android Security Bulletin. It’s not clear at this point whether a special patch will be created for affected devices like the Pixel 6 series or if the exploit will be available until next month’s security patch. According to Android Police’s Ryne Hager, Google has confirmed that the recent delay to the Pixel 6’s March patch is not related to the “Dirty Pipe” exploit.
Update 4/4: Right on schedule, Google released the April 2022 patch to Pixel 6 series and other Pixel phones. However, neither the Android Security Bulletin for this month nor the Pixel-specific patch notes make any mention of the Dirty Pipe exploit. This suggests that the Dirty Pipe exploit will continue to be available for the phone until at least next month’s patch. Galaxy phones have also begun receiving their April 2022 update as of this week. However, as Samsung doesn’t release patch notes until later in the month, we can’t yet be sure whether the Galaxy S22 series is still affected by Dirty Pipe.
Update 5/3: Google has now rolled out the May 2022 security patch to Pixel phones and unveiled the broader Android Security Bulletin for the month. The bulletin makes direct mention of the Dirty Pipe exploit, meaning that every phone on the May 2022 security update or newer is assured to be safe from attackers. To wit, we’ve confirmed that the fix has appeared on Pixel 6 devices with the May 2022 update, as the phone lists a newer Linux kernel version. As the builds were created in March, they include the Dirty Pipe fix from February. Curiously, the new kernel version is slightly older than what was seen in the second Beta test of the June Pixel Feature Drop.