Yesterday, we mentioned that some researchers have discovered a high-risk security vulnerability in the Linux Kernel. The vulnerability is similar to the high-risk vulnerability Dirty Cow that appeared in 2016, so it was named Dirty Pipe, and the vulnerability number is CVE-2022-0847.
Security researcher Max Kellermann has been responsible for submitting the vulnerability details to the Linux Kernel maintenance team, and at the same time announcing the proof of concept. At present, the Linux Kernel team is fixing the vulnerability in 5.16.11/5.15.25/5.10.102, and the versions of other branches still need to be fixed for the time being. Malware that exploits the vulnerability can successfully escalate from ordinary privileges to root privileges. It is easier to exploit than the Dirty Cow flaw, it is not difficult to obtain root privileges, so the degree of harm of this vulnerability is also very high.
Some researchers have successfully reproduced this flaw on Google Pixel 6, that is, Google Pixel 6 is vulnerable to the CVE-2022-0847 flaw. The researchers got an answer after submitting the question to Google, which said the company was preparing a fix that would be merged into the Android kernel when development was complete.
All OEMs will only need to upgrade the kernel in a future update to patch the vulnerability after the fix is merged. Of course, the biggest question for users is whether and when the OEM will release an update. A large number of slightly older Android devices no longer receive security updates. Often OEMs only release updates for flagships and newer devices, so the security of older devices can have serious implications.
Via: 9to5google