Android’s May security update is out, and that means the Pixel 6 is finally getting a patch for the Dirty Pipe vulnerability. The update comes one month after Samsung shipped Google’s patch to the Galaxy S22, but at least it’s finally arriving.
Dirty Pipe, aka CVE-2022-0847, is one of the biggest Linux vulnerabilities to come around in recent years. The vulnerability lets an unprivileged user overwrite data that is supposed to be read-only, which can lead to additional privilege escalation. Android actually has a working demo of this. Twitter user @Fire30_ demoed using the bug to root a Pixel 6. Linux devices running 5.8 and up are affected, and after the vulnerability was discovered on February 19, patches for PC distributions of Linux started rolling out after 17 days.
Android has been a different story, though. First, not that many devices run Linux kernel 5.8 yet. Despite that version releasing in August 2020, Android only jumped from 5.4 to 5.10 with the release of Android 12 in November. Since existing devices typically don’t jump major kernel versions when they get an Android update, that means only new devices coming with Android 12 have kernel 5.10. That’s a very small number of new devices that launched in the past eight months or so—namely the Pixel 6, Galaxy S22, and OnePlus 10 Pro.
According to the researcher who discovered the flaw, Google fixed Dirty Pipe in the Android codebase on February 23. Samsung took that code from Google and rolled it out to the Galaxy S22 last month, but Google ended up waiting a whole extra month, and it’s finally arriving to Pixel 6 users this week. OnePlus is still a laggard.
Google categorizes Dirty Pipe as only “high” severity, which explains why the company hasn’t quickly pushed out an update. Dirty Pipe doesn’t hit the level of a “critical” vulnerability on Android because it’s not remotely exploitable. You need to have local access to use the exploit, and as long as there are no other known vulnerabilities, you should be safe if you don’t install anything malicious.
In other Android update news, the end of the line for the midrange Pixel 3a is in sight. With three years of major OS updates, May 2022 marks the Pixel 3a’s last officially promised OS release. Google told 9to5Google that the device would get one final update by July 2022.
https://arstechnica.com/?p=1851837