CVE-2022-0847 (Dirty Pipe)

A vulnerability in Linux, nicknamed “Dirty Pipe”, which allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation which result inject code into the root processor.

This Vulnerability was found by Max Kellerman of CM4all.

This vulnerability resides in the pipe tool which is used for unidirectional communication between processes so researcher called it “Dirty Pipe”. Although CVE(COMMON VULNERABILITY AND EXPOSUSERS)-2022-0847 flaw is fixed in latest Linux versions. The Fixed versions are 5.16.11, 5.15.25, and 5.10,102. Max Kellerman explained this in detailed at

What is dirty pipe

This Vulnerability in Linux allows the non-privileged users to execute malicious code capable of host of destructive actions including installing backdoors into the system injecting code in scripts, altering binary used by elevated programs, and creating unauthorized user profiles.

Dirty Pipe
Linux Vulnerability

This bug is being tracked as CVE-2022-0847 and has been termed “Dirty Pipe” since it bears a close resemblance to Dirty Cow, an easily exploitable Linux vulnerability from 2016 which granted a bad actor an identical level of privileges and powers.

How does it works?

Dirty Pipe, as the name suggests, makes use of the pipeline mechanism of Linux with malicious intent. Piping is an age-old mechanism in Linux that allows one process to inject data into another. It allows local users to gain root privileges on any system with publicly available and easily developed exploits.

It is a unidirectional and inter-process communication method in which one process takes input from the previous one and produces output for the next in the line.

Dirty Pipe takes advantage of this mechanism combined with the splice function to overwrite sensitive read-only files for instance, /etc/passwd, which can be manipulated to gain a no-password root shell.

Although the process may sound sophisticated, what makes Dirty Pipe incredibly dangerous is that it is redundantly easy to replicate.

It’s Impact

This vulnerability doesn’t only work without write permissions but it also works with immutable files, on read-only btrfs snapshots and on read-only mounts [ It also includes CD-ROM mounts] because the page cache is always writable , and writing to a pipe never checks any permissions.

Depending on architecture of your container’s environment , it can be serious as if an attacker gets access to a single container on the host then he/she can modify the image itself or the files in the read-only mounts from the host.

If a shared image file is used by many containers then attackers can make lot of damage.

Who is impacted by this vulnerability

The attack surface of Dirty Pipe stretches across all Linux kernel versions from 5.8 to 5.16.11. In layman’s terms, it means that all the distros, from Ubuntu to Arch and everything in between, are susceptible to being compromised by Dirty Pipe.

Affected Linux kernel versions range from 5.8 to 5.10.101.

Since this vulnerability sits deep in a foundational piece of the Linux kernel, it can have repercussions all over the world. The ease of exploitation coupled with its scope makes Dirty Pipe a major threat for all Linux maintainers.

Researchers are alerting both businesses and independent users to patch their servers and systems as soon as the security updates are rolled out.

Steps to replicate the exploit

  1. Create you pipe
  2. Input the arbitrary data into the pipe
  3. Drain the data of pipe
  4. Using the splice function, splice the data from the target file into the pipe just before the offset of the target
  5. Input arbitrary data into the pipe that will overwrite the cached file page

Limitation of this exploit

1. The threat actor must have read permissions as, without it, they would not be able to use the splice function.

2. The offset must not be on the page boundary.

3. The write process cannot cross a page boundary.

4. The file cannot be resized.

How to mitigate dirty pipe


On Android, manufacturers are working on applying a critical system update. It is highly recommended to contact your device manufacturer to confirm they are addressing this vulnerability. 

You can create reports in Neurons for Discovery to find which Android endpoints are affected. 

With Ivanti Neurons for MDM, applying a “System Update” configuration and setting the “Android System Update” to “Automatic” will push the latest manufacture approved system updates to your devices.  

Currently, the most common Android devices affected by this vulnerability are Samsung S22 and Google Pixel 6 series.


If your endpoint is running a Linux kernel version 5.8 or higher, you should patch your kernel to 5.16.11, 5.15.25 and 5.10.102 or greater. Most distributions have already released a kernel patch. You can run an update with your distro’s package manager to update to the latest kernel.  

Ivanti Patch for Endpoint Manager can find which Linux endpoints are affected and automatically apply the vulnerability fix.  

Dirty Pipe
Dirty Pipe

What is the future of dirty pipe

According to Linux server statistics, it is the operating system of choice for web servers with over 1 million currently deployed and online. All of this data should be sufficient to clarify the scope of Dirty Pipe and how devastating it could be.

To add to it, much like Dirty Cow, there is no way to mitigate it other than updating your kernel. So, web servers and systems running susceptible kernel versions are in for a world of trouble if they get hit with Dirty Pipe.

Given that there is a fleet of exploits drifting on the internet, it is advised to all system maintainers to stay on their toes at all times and be wary of whoever has local access until their systems are patched.

Share your love
Drashta Shukla
Drashta Shukla

I am a Cyber Security student. I am interested in Website-Testing, Hacking, Linux, Networking and Web-Development. Love to learn new things and working on projects.

Articles: 19