Linux Kernel Dirty Pipe Vulnerability (8th March 2022)

Ref# AL2022_13 | Date: Mar 8th 2022


Linux distributions are working on fixes to address the discovery of a new kernel security vulnerability that might allow an attacker to rewrite arbitrary data into read-only files and seize complete control of affected systems. This Vulnerability also affects Android users


The vulnerability which is being tracked as Dirty pipe (CVE-2022-0847) leads to privilege escalation since unprivileged processes can inject code into process. This flaw is said to have existed since version 5.8, with the vulnerability sharing similarities to that of Dirty Cow (CVE-2016-5195), which came to light in October 2016.

How it works

Pipe, short for pipeline, is a unidirectional inter-process communication method in which a series of processes are linked together so that each process receives input from the one before it and produces output for the one after it.

In the Linux kernel”s copy_page_to_iter_pipe and push_pipe functions, a problem was discovered in the way the “flags” part of the new pipe buffer structure was not properly initialized, and hence may contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and as such escalate their privileges on the system.

The Dirty Pipe vulnerability not only works without write permissions, but it also works with immutable files, on read-only btrfs snapshots and on read-only mounts including CD-ROM mounts because the page cache is always writable (by the kernel) and writing to a pipe never checks any permissions.

The following steps must be taken in order to exploit the flaw: Create a pipe, fill it with arbitrary data, drain it, splice data from the target read-only file into the pipe, and write arbitrary data into it.

This high-risk flaw allows a malicious user to do a variety of things on a system, including tampering with sensitive files like /etc/passwd to change a root user”s password, adding SSH keys for remote access, and even running arbitrary binaries with the highest privileges.


This vulnerability has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102. Google has also sent out updates for Android in its latest release.

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: Linux Kernel Dirty Pipe Vulnerability.pdf