The security world has been abuzz about a new Linux exploit called “Dirty Pipe,” which also affects Android 12 devices like Galaxy S22 and Pixel 6. Here’s everything you need to know about “Dirty Pipe,” which devices it affects, and how best to avoid it.

What can Dirty Pipe do?

Recently disclosed by Max Kellermann as vulnerability CVE-2022-0847, “Dirty Pipe” is a security exploit in select recent versions of the Linux kernel. (The kernel is the core of an operating system, often acting as the go-between from applications to your actual hardware.) In short, any application that can read files on your phone/computer — a permission many Android apps ask for — can potentially mess with your files or run malicious code. On desktop/laptop versions of Linux, this has already been shown to be easily able to get admin privileges.

Simply put, this exploit could easily give an attacker full control of your device.

Which devices are affected by “Dirty Pipe”?

Broadly speaking, “Dirty Pipe” affects Linux-powered devices — which includes everything from Android phones and Chromebooks to Google Home devices like the Chromecasts, speakers, and displays. More specifically, the bug was introduced with Linux kernel version 5.8, released in 2020, and remained present in future releases.

On the Android side of things, as noted by Ars Technica‘s Ron Amadeo, the damage potential of “Dirty Pipe” is far more limited. Most Android devices actually use an older version of the Linux kernel, unaffected by the exploit. Only devices that started their lives on Android 12 have a chance of being affected.

Unfortunately, that means Android phones like the Google Pixel 6 series and Samsung Galaxy S22 series are both potentially at risk from “Dirty Pipe.” In fact, the developer who originally discovered the exploit was able to reproduce it on a Pixel 6 and reported it to Google.

The easiest way to check whether your device is affected is to view your Linux kernel version. To do so, open the Settings app, open “About phone,” tap “Android version,” then look for “Kernel version.” If you see a version higher than 5.8 — and if Google hasn’t yet released a security patch — then your device is potentially at risk from the “Dirty Pipe” exploit.

To find this same information on Chrome OS, open a new tab and navigate to chrome://system and scroll down to “uname.” You should see something like the text below. If the number after “Linux localhost” is higher than 5.8, your device may be affected.

Are attackers using the exploit?

As of now, there are no known instances of the “Dirty Pipe” exploit being abused to gain control over a phone or computer. That said, quite a few developers have shown proof-of-concept examples of how easily “Dirty Pipe” can be used. It’s surely only a matter of time before “Dirty Pipe”-based exploits begin appearing in the wild.

The most recently spotted example (via Max Weinbach) shows Dirty Pipe being used to very quickly get root access on both the Pixel 6 and the Galaxy S22 using a proof-of-concept app. While the exploit had previously been confirmed to be possible on the Pixel 6, this demo, posted by Fire30, is the first to show Dirty Pipe in action on an Android phone.

What are Google and other companies doing?

In addition to originally uncovering the “Dirty Pipe” exploit, Kellermann was also able to identify how to fix it, and submitted a fix to the Linux kernel project shortly after disclosing it privately. Two days later, newer builds of supported versions of the Linux kernel were released to include the fix.

As previously mentioned, the “Dirty Pipe” exploit was also reported to Google’s Android Security Team in late February. Within days, Kellermann’s fix was added to Android source code, ensuring that future builds would be secure. The Chrome OS team followed suit in picking up the fix on March 7, with the fix seemingly poised to roll out potentially as a mid-cycle update to Chrome OS 99.

However, given how new both the exploit and the fix are, the issue does not appear to have been included in the March 2022 Android Security Bulletin. It’s not clear at this point whether a special patch will be created for affected devices like the Pixel 6 series or if the exploit will be available until next month’s security patch. According to Android Police’s Ryne Hager, Google has confirmed that the recent delay to the Pixel 6’s March patch is not related to the “Dirty Pipe” exploit.


Update 4/4: Right on schedule, Google released the April 2022 patch to Pixel 6 series and other Pixel phones. However, neither the Android Security Bulletin for this month nor the Pixel-specific patch notes make any mention of the Dirty Pipe exploit. This suggests that the Dirty Pipe exploit will continue to be available for the phone until at least next month’s patch.

Galaxy phones have also begun receiving their April 2022 update as of this week. However, as Samsung doesn’t release patch notes until later in the month, we can’t yet be sure whether the Galaxy S22 series is still affected by Dirty Pipe.


Update 5/3: Google has now rolled out the May 2022 security patch to Pixel phones and unveiled the broader Android Security Bulletin for the month. The bulletin makes direct mention of the Dirty Pipe exploit, meaning that every phone on the May 2022 security update or newer is assured to be safe from attackers.

To wit, we’ve confirmed that the fix has appeared on Pixel 6 devices with the May 2022 update, as the phone lists a newer Linux kernel version. As the builds were created in March, they include the Dirty Pipe fix from February. Curiously, the new kernel version is slightly older than what was seen in the second Beta test of the June Pixel Feature Drop.

5.10.66-android12-9-00001-g51e133b6e4eb-ab8103786
#1 Fri Jan 21 06:54:49 UTC 2022

Before

5.10.66-android12-9-00007-g66c74c58ab38-ab8262750
#1 Mon Mar 7 01:27:36 UTC 2022

As the Pixel 6 and Galaxy S22 were the only devices known to be affected by Dirty Pipe, and any newer devices should release with the May 2022 update or newer, this should mark the end of the Dirty Pipe exploit on Android.


How does “Dirty Pipe” work?

For the technically inclined, especially those with Linux experience, Kellermann has published an interesting write-up of how “Dirty Pipe” was inadvertently discovered and the core mechanisms of how it works.

Here’s an (overly) simplified explanation: as the “Dirty Pipe” name suggests, it has to do with Linux’s concepts of “pipes” — which are used to get data from one app or process to another — and “pages” — small chunks of your RAM. Effectively, it’s possible for an application to manipulate Linux pipes in a way that makes it possible to insert its own data into a page of memory.

By doing so, it’s easily possible for the attacker to either change the contents of a file you’re trying to open or even give themselves full control of your computer.

How can I keep my device safe?

As of May 2022, Dirty Pipe has been fixed on both the Google Pixel 6 series and the Samsung Galaxy S22 series, the only known-affected phones. To ensure that your device is safe, simply update your phone’s software. On Pixel phones, you can do this in the Settings app; inside “System,” you should find “System update.” If you see an “Android security update” of May 2022 or newer, your device is safe.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and Stadia.

Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com

Kyle Bradshaw's favorite gear