April Security Update Doesn't Fix Dirty Pipe Vulnerability… Or Does It?

Google Pixel 6 pro Review AM AH 08

The April 2022 Android security update is now live for Google Pixel and Samsung Galaxy smartphones. Among other things, the latest security patch seems to have fixed the Dirty Pipe vulnerability that affected the Pixel 6 and Galaxy S22 series devices. Or has it?

Both Samsung and Google recently published their respective security bulletin for April 2022. Interestingly though, only Samsung’s bulletin mentions the fix for the Dirty Pipe vulnerability. The company lists the Common Vulnerabilities and Exposures (CVE) number CVE-2022-0847, which Google had assigned to Dirty Pipe earlier this year, as a high-severity CVE item fixed by Google.

However, the identifier CVE-2022-0847 is nowhere to be found in Google’s updated security bulletin. Even the Pixel-specific security patch for April 2022 doesn’t mention it. This suggests that the latest security update doesn’t patch the Dirty Pipe vulnerability on the Pixel 6 and Pixel 6 Pro devices. Mishaal Rahman of Esper.io says the kernel version of the Pixel 6 Pro after installing the April patch also indicates that the vulnerability is unpatched.


Has Samsung fixed the Dirty Pipe vulnerability on its own with the April update?

Samsung, on the other hand, seems to have patched the Dirty Pipe vulnerability on its affected devices with the April SMR (security maintenance release). This is a bit surprising, and confusing too. The vulnerability comes from Linux, the open-source platform that Android originates from. So Google should have first implemented a fix for it at the Android level.

That said, Dirty Pipe only affects devices running Linux kernel version 5.8 or newer. According to reports, select smartphones that use Qualcomm’s Snapdragon 8 Gen 1 or Google’s Tensor processor and debuted with Android 12 are vulnerable to it. These include the Galaxy S22, Pixel 6, Xiaomi 12 Pro, and OnePlus 10 Pro. So maybe Google prepared a fix for Dirty Pipe and provided it to the manufacturers of the affected devices so they could push the update as and when they can. Samsung pushed the patch to the Galaxy S22 series as part of the April update.

This also explains why Google‘s Pixel-specific security bulletin doesn’t include CVE-2022-0847. Since it doesn’t affect all Pixel devices, it plans to separately seed the patch to the Pixel 6 series. However, these are just assumptions. We still have no official confirmation regarding the Dirty Pipe fix for the Pixel 6 series. Hopefully, Google will tell us something soon. We will keep you posted.


Meanwhile, if you’re using a Pixel 6 device, you might want to install the April update as soon as possible. And hope that it includes the fix for Dirty Pipe. This vulnerability allows an attacker to gain system-level access to your device and take full control of it remotely.