This month’s Android Security Bulletin was released yesterday, however it does not address the Dirty Pipe vulnerability, which is a significant and high-profile exploit that still remains on Android phones.
For those who aren’t aware, Google releases a large security “patch level” for Android every month that includes remedies for security flaws.
Smartphone manufacturers get first access to the patch, allowing them to release updates at the start of each month.
Some manufacturers, on the other hand, make these changes every two months or once a quarter.
Every month, Google also releases a bulletin that summarizes the vulnerabilities that have been fixed throughout the monthly patch levels available.
The notice specifies the type of vulnerability, its severity, and the CVE number that has been issued to it.
A Linux kernel vulnerability known as the Dirty Pipe allows an unprivileged user to rewrite data in read-only files.
This results in privilege escalation and arbitrary code execution, allowing a malicious user or hacker to take complete control of the device.
The bug affects kernel versions 5.8 and later, according to Max Kellermann, the person who discovered the Dirty Pipe vulnerability.
They are also unaffected by the vulnerability following the February patches to kernels 5.16.11, 5.15.25, and 5.10.102.
The vulnerability necessitates the use of a recent version of the Linux kernel, although Android phones often stay on a single version for the most of their lifespan.
Only devices with a Snapdragon 8 Gen 1 introduced on Android 12 or later versions are vulnerable, with the exception of the Pixel 6 and its Generic Kernel Image support.
The Galaxy S22 series, Xiaomi 12 Pro, OnePlus 10 Pro, and Google’s Tensor-powered Pixel 6 and 6 Pro are just a few examples.
To read our blog on “Galaxy S22 Series sets a new Guinness World Record,” click here.
