Critical Dirty Pipe vulnerability goes unpatched in latest Android updates

Phones that were vulnerable before are probably still vulnerable

Although updates for Pixels and Samsung's phones have been rolling out with the April 2022 patch levels included, one critical and high-profile exploit hasn't been addressed yet. Although the Android Security Bulletin for the month has been published today, it does not state that it addresses the Dirty Pipe vulnerability, which can be used for arbitrary code execution.

For the uninitiated, Google puts together a big "patch level" for Android that includes fixes for security vulnerabilities every month. Smartphone makers get access to it early to roll out updates in a coordinated way at the beginning of each month — assuming they deliver monthly updates. (Some manufacturers roll up these changes for less premium devices and deliver them every two months, or once a quarter.) Every month, Google publishes a bulletin that explains which vulnerabilities have been addressed across the monthly patch levels provided. The notes each month state the type of vulnerability, severity, and CVE identifier assigned to it, and this month's notes for April 2022 are missing CVE-2022-0847.

That identifier is tied to the Dirty Pipe vulnerability, which researchers have exploited to fully root a Google Pixel 6 Pro and Samsung's Galaxy S22 series by taking advantage of a bug in how Linux handles reading and writing to files. Done right, the exploit can allow privilege escalation and arbitrary code execution — scary terms that essentially mean a malicious actor can use the exploit to gain full control of a system (and enthusiasts might use it to get root access).

With the extensive documentation currently available regarding the exploit and its impact across systems running specific versions of the Linux kernel, it may be under active "in the wild" use by malicious actors, though it's less likely that anyone is currently using it to target Android phones. The vulnerability requires a very recent version of the Linux kernel, and Android phones tend to "live" on a single version for most of their lives. Excluding the Pixel 6 and its Generic Kernel Image support, only phones with a Snapdragon 8 Gen 1 that launched on Android 12 or later should be affected. That includes the Galaxy S22 series, Xiaomi 12 Pro, OnePlus 10 Pro, and Google's Tensor-powered Pixel 6 and 6 Pro.

So far as we can tell from examining the April 2022 Android Security Bulletin (not that it takes much more than a Ctrl+F), fixes for the CVE that corresponds to the Dirty Pipe vulnerability were not included in this month's patch levels, nor are they mentioned in the separate and device-specific Pixel Update Bulletin. Esper.io's Mishaal Rahman has further confirmed that the kernel build date and tags for the current patch on the Pixel 6 Pro indicate that it has been unchanged and is unlikely to include fixes for Dirty Pipe.

We have reached out to Google to more explicitly confirm whether the Dirty Pipe vulnerability has been addressed in the latest patch level, as well as if the Pixel 6 is still affected, but representatives from the company have not responded to our inquiry.

It's possible (but unlikely) that some device updates may still contain the fix, rolled out separately from Google's Android Security Bulletin changes. We've further reached out to Samsung for more information when it comes to the S22 series, and the company is looking into the subject. However, if Google didn't address the issue in the current patch level, it's unlikely that Samsung did.

Although only a few very recent (and relatively high-end) phones are affected, given the severity of the vulnerability, many customers were hoping that it might be fixed with this month's update, following its public disclosure on March 7th. But, it looks like we might have to wait until April — or later.