Google released the Android security update for April earlier this week, but the patch didn’t include a fix for the ‘Dirty Pipe’ security vulnerability that was widely publicized last month. Even though we’ll likely have to wait until the May update for most devices to be fixed, some manufacturers have started to patch their own devices, including Google itself.
Dirty Pipe (CVE-2022-0847) is an exploit discovered in the Linux kernel that allows someone to inject and overwrite data in read-only processes, without any root or admin permissions. The vulnerability has already been used to achieve temporary root access on Android, but it could also allow malware and other unknown software to gain system access.
Dirty Pipe has now been fixed in the Linux kernel (with versions 5.16.11, 5.15.25, and 5.10.102), as well as Android’s version of the Linux kernel, but the patch wasn’t included in the April security update. It will presumably arrive in the May update, but not everyone wants to wait that long. Some custom kernels for the Pixel 6 and Pixel 6 Pro include the patch, including the Kirisakura kernel. Google’s Android QPR3 Beta 2 for the Pixel 6 and Pixel 6 Pro, which was released on Thursday, has a patched kernel version.
Samsung seems to be the only manufacturer rolling out a fix to phones on stable software, as part of the April 2022 update on Galaxy devices — the company’s security bulletin mentions CVE-2022-0847, and the update has been verified to block Dirty Pipe attacks. The Xiaomi 12/12 Pro still seem to be vulnerable, as those phones haven’t received a security update since the initial release in February. OnePlus hasn’t release source code for its April update yet.
We’ll have to wait and see which manufacturers wait for the May update, and which companies push an update early (as Samsung is doing). Either way, you should probably avoid installing sketchy APKs for the time being.