Pixel 6 finally gets a dirty pipe patch, a month after the Galaxy S22

| |


Enlarge / The Pixel 6 Pro.

Android’s May security update is here, and that means the Pixel 6 is finally getting a patch for the Dirty Pipe vulnerability. The update comes a month after Samsung shipped the Google patch for the Galaxy S22, but at least it’s finally arriving.

Dirty Pipe, also known as CVE-2022-0847, is one of the biggest Linux vulnerabilities in recent years. The vulnerability allows an unprivileged user to overwrite data that is intended to be read-only, which could result in additional privilege escalation. Android actually has a working demo of it. Twitter user @Fire30_ demonstrated the bug to root a Pixel 6. Linux devices running 5.8 and above are affected, and after the vulnerability was discovered on February 19, patches for PC distributions of Linux began rolling out after 17 days.

Android, however, was a different story. First, not that many devices are running the Linux 5.8 kernel yet. Although this version was released in August 2020, Android didn’t jump from 5.4 to 5.10 until the release of Android 12 in November. Since existing devices typically don’t skip major kernel versions when receiving an Android update, this means that only new devices running Android 12 will have kernel 5.10. That’s a very small number of new devices to launch in the past eight months or so – namely the Pixel 6, Galaxy S22, and OnePlus 10 Pro.

According to the researcher who discovered the bug, Google fixed the dirty pipe in the Android code base on February 23. Samsung took that code from Google and rolled it out to the Galaxy S22 last month, but Google had to wait a full month longer, and it’s finally arriving for Pixel 6 users this week. OnePlus is still a laggard.

The Pixel 3a, Google's first mid-range Pixel phone, will soon be dead.
Enlarge / The Pixel 3a, Google’s first mid-range Pixel phone, will soon be dead.

Google

Google only ranks Dirty Pipe as “high,” which explains why the company wasn’t quick to release an update. Dirty Pipe does not reach the level of a “critical” vulnerability on Android as it is not remotely exploitable. You need local access to use the exploit, and as long as there are no other known vulnerabilities, you should be safe unless you install anything malicious.

In other Android update news, the end of the line is in sight for the mid-range Pixel 3a. With three years of major OS updates, May 2022 marks the last officially promised Pixel 3a OS release. Google told 9to5Google that the device would receive a final update by July 2022.


Previous

Apple Watch Series 8 can detect body temperature if algorithm supports: Ming-Chi Kuo

Stylish boss rush hack and slasher Furi gets a new Onnamusha DLC

Next

Leave a Comment