Android apps and phones have been susceptible to vulnerabilities in the past and this continues to be a reality even now. A new exploit called Dirty Pipe has now been discovered that can let apps (with the necessary permissions) read files, infect malicious programs, and possibly control the entire system of vulnerable Android 12 devices. Here are the details.
The Dirty Pipe vulnerability, also called the CVE-2022-0847 (a number assigned to common vulnerabilities), was discovered by Android developer Max Kellerman. He used a Pixel 6 to discover the vulnerability and reported it to Google. The vulnerability originated with Linux 5.8, which was released for Android back in 2020. According to Ars Technica’s Ron Amadeo, the vulnerability affects only brand new Android 12 devices like the Pixel 6 and Galaxy S22 devices.
By my count, Dirty Pipe affects only brand-new Android 12 devices like the Pixel 6 and S22. Linux 5.8 and above has only been an Android option for five months. https://t.co/WmstZDoA5t pic.twitter.com/PEFhcwUQYV— Ron Amadeo (@RonAmadeo) March 8, 2022
It is suggested that the Dirty Pipe affects Linux pipes (to transfer data from an app or process to another) and Pages (the small chunks of memory). This bug can exploit the pipes and pages, thus, allowing attackers to change the data or have full control over the device. You can read all the technical details over here.
Following Kellerman’s reporting, Linux released fixes for supported devices in the form of 5.16.11, 5.15.25, 5.10.102 last month. After that, Google also integrated Kellerman’s fix in the Android kernel. Although it has not yet been released for users as of writing this story. It is suggested that Google will release the fix for Dirty Pipe either with a special patch update or with the April security update.
