Android’s May security update is out, and that means the Pixel 6 is finally getting a patch for the Dirty Pipe vulnerability. The update comes one month after Samsung shipped Google’s patch to the Galaxy S22, but at least it’s finally arriving.
Dirty Pipe, aka CVE-2022-0847, is one of the biggest Linux vulnerabilities to come around in recent years. The vulnerability lets an unprivileged user overwrite data that is supposed to be read-only, which can lead to additional privilege escalation. Android actually has a working demo of this. Twitter user @Fire30_ demoed using the bug to root a Pixel 6. Linux devices running 5.8 and up are affected, and after the vulnerability was discovered on February 19, patches for PC distributions of Linux started rolling out after 17 days.
Android has been a different story, though. First, not that many devices run Linux kernel 5.8 yet. Despite that version releasing in August 2020, Android only jumped from 5.4 to 5.10 with the release of Android 12 in November. Since existing devices typically don’t jump major kernel versions when they get an Android update, that means only new devices coming with Android 12 have kernel 5.10. That’s a very small number of new devices that launched in the past eight months or so—namely the Pixel 6, Galaxy S22, and OnePlus 10 Pro.