The May Android security update is out, which means the Pixel 6 is finally getting a patch for the Dirty Pipe vulnerability. The update comes a month after Samsung sent the Galaxy S22 patch to Google, but at least it’s finally here.
Dirty Pipe, also known as CVE-2022-0847, is one of the biggest Linux vulnerabilities in recent years. The vulnerability allows an unprivileged user to overwrite read-only data, which could lead to additional privilege escalation. Actually Android has a working demo of this. Twitter user @Fire30_ did a demo of using the bug to root the Pixel 6. Linux devices running 5.8 and above are vulnerable, and after the vulnerability was discovered on February 19, patches for Linux distributions for PCs began rolling out 17 days later.
However, things are different with Android. First, not many devices use the Linux 5.8 kernel yet. Even though this version was released in August 2020, Android only jumped from 5.4 to 5.10 with the release of Android 12 in November. Since existing devices usually don’t switch between major kernel versions when they receive an Android update, this means that only new devices with Android 12 have the 5.10 kernel. This is a very small number of new devices released in the last eight months or so, namely the Pixel 6, Galaxy S22 and OnePlus 10 Pro.
According to the researcher who discovered the vulnerability, Google patched Dirty Pipe in the Android codebase on February 23rd. Samsung took that code from Google and rolled it out on the Galaxy S22 last month, but Google ended up waiting an extra month for it to finally hit Pixel 6 users this week. OnePlus is still lagging behind.
Google only classifies Dirty Pipe as “high”severity, which explains why the company didn’t release an update quickly. Dirty Pipe does not reach the “critical”vulnerability level on Android because it cannot be used remotely. You need local access to use the exploit, and as long as there are no other known vulnerabilities, you should be safe as long as you don’t install anything malicious.
In other Android update news, the end of the mid-range Pixel 3a line is just around the corner. After three years of major OS updates, May 2022 marks the last official release of the Pixel 3a OS. Google told 9to5Google that the device will receive the final update by July 2022.