The Android Security Bulletin for this month got published yesterday and it does not address the Dirty Pipe vulnerability, which is a critical and high-profile exploit that still exists in Android phones.
For those unaware, every month Google rolls out a big security “patch level” for Android that includes fixes for security vulnerabilities. Smartphone manufacturers gain early access to this patch so they can roll out updates at the beginning of each month. But some manufacturers roll out these changes every two months, or once every quarter.
Additionally, Google also announces a bulletin every month that briefs about the vulnerabilities that have been addressed across the monthly patch levels provided. The bulletin details the type of vulnerability, its severity, and the CVE identifier assigned to it. However, this month’s notes are missing the CVE-2022-0847 identifier, which is tied to the Dirty Pipe vulnerability.
Dirty Pipe vulnerability is a Linux kernel vulnerability that authenticates an unprivileged user to overwrite data in read-only files. This leads to privilege escalation and arbitrary code execution, meaning a malicious user or a hacker could gain full access to the device.
As reported by Max Kellermann, the person who identified the Dirty Pipe vulnerability, the problem affects kernel version 5.8 and later. Whereas, after the February updates of the kernels 5.16.11, 5.15.25, and 5.10.102, they are also unaffected by the vulnerability.
The vulnerability requires a very recent version of the Linux kernel, whereas Android phones tend to survive on a single version for most of their lives. Excluding the Pixel 6 and its Generic Kernel Image support, only smartphones with a Snapdragon 8 Gen 1 launched on Android 12 or a later version are vulnerable.
Such smartphones include the Galaxy S22 series, Xiaomi 12 Pro, OnePlus 10 Pro, and Google’s Tensor-powered Pixel 6 and 6 Pro.