Little more than a month after Samsung announced its Galaxy S22-series flagship, a security researcher found a major vulnerability that puts them, and a handful of other Android phones at risk. Over the past few days, there's been a lot of questions and concerns about the exploit known as Dirty Pipe. Here's the rundown on the Dirty Pipe exploit, the phones affected by it, and what you can do to stay safe.
Dirty Pipe is the name given to the CVE-2022-0847 vulnerability, present in Linux kernel versions 5.8 and later. The researcher who discovered the issue found it through what was assumed to be a bug that caused access logs on a machine to be intermittently corrupted. A deeper examination of the precise cause indicated the problem could be used as a very serious exploit. The mechanism is complicated, but in essence, the vulnerability allows data to be injected into arbitrary files due to the way the Linux kernel reads, writes, and passes data through what are called "pipes" — hence the name.ANDROIDPOLICE VIDEO OF THE DAY
Because basically everything in Linux is a "file," and because Dirty Pipe can selectively modify data in any file (either directly or through how the file is read via cache), that means an attacker could use exploit to modify system files. A bad actor can use the Dirty Pipe exploit to inject arbitrary code to be run by a privileged process. That code can then be used for all sorts of potential applications, like granting root permissions to other software and modifying the system without authorization.
In less technical terms, Dirty Pipe is a vulnerability on Linux that allows a malicious application nearly full system control, and that's scary.
The likelihood of failing victim to Dirty Pipe attack on your Android phone or tablet is low, but there's still reason for alarm. Since Linux powers more than just servers and your nerdy friend's laptop, a lot of devices are potentially at risk. Many embedded systems, smart home devices, set-top boxes, and even the majority of the world's phones run Linux — in the last case, courtesy of Android. That said, most Android device owners don't need to worry.
To start, Dirty Pipe only affects Android devices running Linux kernel versions 5.8 and later. There isn't a complete list of phones tied to specific Linux kernel versions, but many Android phones "live" on a specific kernel version their entire life. Kernel 5.8 was released in 2020, but Android devices didn't start to receive any more recent versions until the release of Android 12. Generic Kernel Images complicate this a little, but only the Pixel 6 and 6 Pro use it, and consumer devices using kernel versions after 5.8 didn't debut until Android 12 either.
In short, if your phone launched with Android 11 or earlier, you're safe from Dirty Pipe, and even if you upgraded to Android 12, there isn't a cause for concern. That means most phones from 2021 and earlier are unaffected. However, some more recent phones are affected.
We know the Pixel 6, Pixel 6 Pro, and Samsung Galaxy S22 series are affected by Dirty Pipe. Android Police has separately confirmed the Xiaomi 12 Pro is running an affected version of the Linux kernel. Qualcomm has confirmed to us that out of all its chipsets, only the Snapdragon 8 Gen 1 might use an affected kernel. All of its other hardware should be unaffected.
Odds are that some (if not all) phones with the Snapdragon 8 Gen 1 chipset running Android 12 are potentially vulnerable. We have also reached out to Samsung and MediaTek for more information about their hardware, but neither company has responded to our inquiries yet.
If you're concerned about whether your phone could be vulnerable to Dirty Pipe, until things are patched, checking is easy, but not always simple. The kernel version should be listed somewhere in your phone's Settings app, but different companies put it in a different place (and some even name it differently). All you need to care about for now are the first two digits for the kernel.
Follow the steps below to locate the kernel version for Google Pixel, OnePlus (running Oxygen OS 12 or later), and Samsung Galaxy phones:
If you own a phone from a different manufacturer, simply type "kernel" in the Settings' search bar. Though it still may not appear on all devices, it's a fast and easy way to access the information in many instances, including for devices not covered above.
Remember, if the first few digits of your phone's kernel version are lower than 5.8, you are safe.
Right now, there is nothing that you can do to fix the problem. The vulnerability on Android phones needs to be addressed by manufacturers and Google via an OTA update. The issue has already been addressed in the Linux kernel itself (if you're running a server or using Linux in some other application, update ASAP), but the process to deliver an update on Android is a little more complicated because of how Android works.
Google tells us that it is aware of the vulnerability and has shared information with partners on how to patch the issue, and Qualcomm further corroborates that fixes are available and expected to land as part of a future Android Security Bulletin — a monthly security patch, in other words.
So far, we aren't aware of a specific patch level that will address the issue or any updates for Android devices that do, but I would expect that updates in the next few months (in April, May, or June) will likely include a fix on affected models. A precise schedule will likely vary from manufacturer to manufacturer according to their individual update policy. Some companies, like OnePlus, only deliver updates on an every-two-month cadence, many are monthly, yet others are quarterly.
There are a few things you can do in the meantime to reduce your potential risk. If your phone is affected:
Google also tells us that it is exploring ways to use Google Play Protect to offer additional protection against this issue. If you stick to sources like the Play Store for your apps, that will reduce the chances that you might install a malicious app that takes advantage of the Dirty Pipe vulnerability, though it's not a perfect defense. Apps can still download code that takes advantage of the vulnerability after they are installed.
In the coming months, the impact of Dirty Pipe on Android will be reduced as manufacturers roll out updates to address the issue. If you haven't updated to a new flagship in the past six months, there's little need to worry. If, however, you just picked up a new Samsung Galaxy S22, hold off from downloading apps outside the Google Play Store, and keep an eye out for OTA updates for your phone.
Additional information about affected hardware
Qualcomm has given us additional details about the chipsets it supplies that may use affected kernels. Of its hardware, only devices using the Snapdragon 8 Gen 1 could be affected. We are still waiting on additional information from other vendors.Samsung’s February 2022 security patch starts arriving for more phones in the US
Now available for the Verizon Tab S7 and S7+Read NextShareTweetEmail Related TopicsAbout The AuthorRyne Hager(2954 Articles Published)
Ostensibly a senior editor, in reality just some verbose dude who digs on tech, loves Android, and hates anticompetitive practices. His only regret is that he didn't buy a Nokia N9 in 2012. Email tips or corrections to ryne at androidpolice dot com.MoreFrom Ryne Hager