Dirty Pipe – Privilege Escalation Vulnerability in Linux

Dirty Pipe – Privilege Escalation Vulnerability in Linux

Linux is found to have yet another severe privilege escalation vulnerability (CVE 2022-0847) in kernel version 5.8 and above. This vulnerability is allowed bad actors to execute malicious code that can act as a host to destructive actions like installing backdoors into the system, injecting code into scripts, and even creating unauthorized user profiles.

This vulnerability was discovered by Max Kellermann in early March 2022 and is similar to the old Dirty Cow vulnerability (CVE 2016-5195). You must also note that the Dirty pipe vulnerability has been fixed in Linux Kernel versions 5.16.11, 5.15.25, and 5.10.102. If you are using Linux devices, ensure that it is updated to these versions or above.

Let us look at the way the Linux kernel manages memory before we dive into the vulnerability.

Working of Linux Kernel

The kernel is a core program of an operating system. It is in fact the first program loaded when the system starts. The basic unit of memory is the PAGE. It is still unknown how large a page can get, but typically, it is considered as 4Kib. Page cache manages the page and pages are mainly used when a read or write operation is performed on the files on the disk. This reading and writing are performed with the use of PIPES. Piping is an old mechanism that sends the output of one command/process/program into another.  

Before getting into this vulnerability, you should also know about “splice()”. This function speeds up the process of pushing the contents of a file into a pipe. In other words, it points the pipe at a page that is already loaded into the memory where a section of a read-only file is already opened.

Dirty Pipe in Linux                                            

Dirty Pipe vulnerability makes use of the pipeline mechanism to allow local users to gain root access to any system. What makes this vulnerability dangerous is that this vulnerability can be easily exploited with publicly available exploits.

There are several ways to exploit this vulnerability for privilege escalation. This vulnerability makes the bad actors gain root access and write to read-only files possible. If the bad actor gets to the /etc/passwd file containing the list of users and their privileges, they can append to the file a new user with root privileges.

How the exploit works

Let us start by creating a pipe. You will then be copying arbitrary data into that pipe just to ensure that the pipe buff flag (can merge flag) is set in all instances. Then you will be draining the pipe leaving that flag set in all the pipe buffers. This is where the bug occurs.

That flag is supposed to get reset. You will then splice data from a target read-only file into the pipe just before where the target is. Normally when you splice data into a pipe, you cannot write more data to that page. But this pipe buffer has the “can merge flag”.

This results in a mergeable pipe buffer that also has a reference to data in it. Now starts the real exploit. You can now simply write arbitrary data to that pipe buffer and then overwrite what was being referenced.  

The real problem

The write permissions are working fine but the real problem is, the write permissions aren’t checked in pipes. It is because when you are at the pipe level, the kernel believes the permissions are already verified and accepted.

This can make an unauthorized user gain root permissions and even inject arbitrary ssh keys to gain remote access to a system. This raises a big issue, making this vulnerability notable in the InfoSec community.


Updating the kernel is the remedy here. Patch for this vulnerability was released very soon knowing the impact this will cause. The Linux kernel versions 5.16.11, 5.15.25, 5.10.102 are released with the patch included.

If you are using Linux systems, ensure that you are using at least these versions or above.

Stay secure with Clear Infosec

To keep you informed of all the new vulnerabilities and fixes, sign up for our Threat Intelligence newsletter (TIB). Stay informed and stay secure.