A new vulnerability called Dirty Pipe can affect devices running Android 12. Known as CVE-2022-0847 (i.e. its common vulnerabilities and exposures number assigned to known security flaws), Dirty Pipe could be exploited to allow Android apps with permission to read your files, perform malicious actions against them, and possibly take control of your phone.
The vulnerability affects Linux-powered devices such as Android and Google Home devices, Chromebooks, etc. The vulnerability was introduced on Android with Linux version 5.8 which was released in 2020.
From a tweet by ArsTechnica Ron Amadeo
, only phones that were launched with Android 12 installed like Pixel 6 series and Galaxy S22 series are affected by Dirty Pipe. The developer who initially discovered the vulnerability used a Pixel 6 to report Dirty Pipe to Google. 9to5Google
reports that the good news is that to date, no one has exploited Dirty Pipe, although some developers have created proof-of-concept examples that show how easily the vulnerability can be exploited.
Ars Technica’s Ron Amadeo explains that Dirty Pipes only affects phones released with Android 12 and not updated
To make sure your Pixel 6 or Galaxy S22 series phones don’t have dirty pipes, go to Settings > Android version and look at the kernel version. If it’s above 5.8, your phone is potentially at risk.
Android developer Max Kellermann discovered the vulnerability and on February 23 Linux released patches (5.16.11, 5.15.25, 5.10.102). The next day, Google merged Kellermann’s patch into the Android kernel. Yet the CVE number was not included in the March security bulletin that just came out, which means that either Google will send out a special patch for the Pixel 6 series and Samsung for the Galaxy S22 series, or the vulnerability will be fixed in the April security release. .
To prevent your new Pixel 6, Pixel 6 Pro, Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra from getting “dirty pipes”, don’t run apps you can’t trust. And for the best protection, don’t install any new apps until we see that Google has released the patch specifically for Dirty Pipes. This might be a huge question, but why risk giving root access to your phone to someone who would like to steal your personal information because you want to download your fifth weather app.
On April 4, Google will release the April security patch and we’ll see if Google patched the vulnerability at that time. If it is fixed sooner, we will let you know.