The security world has been abuzz this week about a new Linux exploit called “Dirty Pipe,” which also affects Android 12 devices like Galaxy S22 and Pixel 6. Here’s everything you need to know about “Dirty Pipe,” which devices it affects, and how best to avoid it. Recently disclosed by Max Kellermann as vulnerability CVE-2022-0847, “Dirty Pipe” is a security exploit in select recent versions of the Linux kernel. (The kernel is the core of an operating system, often acting as the go-between from applications to your actual hardware.) In short, any application that can read files on your phone/computer — permission many Android apps ask for — can potentially mess with your files or run malicious code. On desktop/laptop versions of Linux, this has already been shown to be easily able to get admin privileges. Broadly speaking, “Dirty Pipe” affects Linux-powered devices — which includes everything from Android phones and Chromebooks to Google Home devices like the Chromecasts, speakers, and displays. More specifically, the bug was introduced with Linux kernel version 5.8, released in 2020, and remained present in future releases. On the Android side of things, as noted by Ars Technica‘s Ron Amadeo, the damage potential of “Dirty Pipe” is far more limited. Most Android devices actually use an older version of the Linux kernel, unaffected by the exploit. Only devices that started their lives on Android 12 have a chance of being affected. Unfortunately, that means Android phones like the Google Pixel 6 series and Samsung Galaxy S22 series are both potentially at risk from “Dirty Pipe.” In fact, the developer who originally discovered the exploit was able to reproduce it on a Pixel 6 and reported it to Google. The easiest way to check whether your device is affected is to view your Linux kernel version. To do so, open the Settings app, open “About phone,” tap “Android version,” then look for “Kernel version.” If you see a version higher than 5.8 — and if Google hasn’t yet released a security patch — then your device is potentially at risk from the “Dirty Pipe” exploit. As of now, there are no known instances of the “Dirty Pipe” exploit being abused to gain control over a phone or computer. That said, quite a few developers have shown proof of concept examples of how easily “Dirty Pipe” can be used. It’s surely only a matter of time before “Dirty Pipe”-based exploits begin appearing in the wild. In addition to originally uncovering the “Dirty Pipe” exploit, Kellermann was also able to identify how to fix it and submitted a fix to the Linux kernel project shortly after disclosing it privately. Two days later, newer builds of supported versions of the Linux kernel were released to include the fix. As previously mentioned, the “Dirty Pipe” exploit was also reported to Google’s Android Security Team in late February. Within days, Kellermann’s fix was added to Android source code, ensuring that future builds would be secure. The Chrome OS team followed suit in picking up the fix on March 7, with the fix seemingly poised to roll out potentially as a mid-cycle update to Chrome OS 99. The full article is posted on OUR FORUM.