Pixel 6 Pro and Galaxy S22 fully owned in Dirty Pipe exploit demo

Earlier today, a video was posted to Twitter by @Fire30_, showing the new Dirty Pipe Linux kernel vulnerability for getting root in Android on a Galaxy S22 and Pixel 6 Pro, both apparently running the latest security patches. In each case, root access was achieved in less than a minute with minimal fuss, opening the door to both a simple rooting method that enthusiasts might appreciate and a host of frightening security issues.

If you haven’t been following the latest news, a new kernel-level vulnerability was recently discovered called Dirty Pipe. It’s complicated, but the really short version is that software on recent versions of the Linux kernel can get elevated privileges (i.e. gain root access, among other things) due to the way the kernel supports reading and writing data to “pipes”, with a bug allowing you to write data to a target file when you shouldn’t be able to. Done correctly, this can be used for executing arbitrary code – a fancy way of saying that an application or software can do pretty much anything it wants within other technical limitations, including reading things it wants to. should not have access and perform operations that should require permissions that it does not have. The issue affects devices running 5.8 and later versions of Linux kernels, including Android.


Fixes have already been released to the Linux kernel, and Android is expected to fix the issue in an upcoming monthly patch level. To date, we have not heard of the exploit being actively used in the wild, but that is subject to change.

The video, posted to Twitter, shows both a Samsung Galaxy S22 and a Google Pixel 6 Pro performing a root shell through the Dirty Pipe exploit, even returning the phones to a permissive SELinux state. This all serves as a demonstration of the damage it could do. Root-level access is almost carte blanche for applications, and when SELinux is set to a permissive mode, many key security features of an Android device are disabled. In essence, it’s pretty much “full ownership,” as ancient tech slang goes.

Speaking to a security researcher, I was told that the impact of the vulnerability may still depend on other mitigating factors as well as the simple software requirements to need a very recent version of the kernel. The vast majority of Android devices are currently running older versions of the Linux kernel which would not be affected.

Finally, although the video illustrates an external device accessing a root shell, I’m told the exploit is almost certainly capable of happening entirely on the device in an entirely app-based method, depending on what was shown. Enthusiasts might salivate here as it’s a mechanism to achieve seemingly non-permanent root on Samsung phones, thanks to the company’s less than beefed-up Knox security. And even without modifying the system for permanent root (which would trigger other detection methods and have other problems), an application could simply wait for a boot broadcast and reach non-persistent root at that time. Of course, an app could also take advantage of all this for more nefarious purposes.

A malicious app with root access can have a serious impact, with the ability to steal your files, images, messages, and other data, potentially among even worse actions. Without getting too bogged down in all applications, this is a very serious and severe vulnerability.

Again, we are not yet aware of any active use of the vulnerability in the wild, and only a small subset of very recently released devices are expected to be affected. If you’re worried, check your current kernel version (usually by Settings -> On, listed in “Software Information” on Samsung phones, “Android Version” on Pixels). If the kernel version listed is lower than 5.8, the exploit probably won’t work on your phone.

Google may update Play Protect to reduce the risk of you installing an app (officially or downloaded from unknown sources) that includes the exploit. We contacted Google for more information, but the company did not immediately respond to our questions on the matter. In the meantime, if you have a phone that might be affected, it might be a good idea to stick with installing apps from trusted sources in the meantime.

Stable Android 12L has a status bar issue that went undetected for months of beta testing

Seems to occur on phones with a notch or punch-hole camera

Read more

About the Author