Dirty Pipe (CVE-2022-0847)

Dirty Pipe is a Linux kernel vulnerability that lets an unprivileged user write arbitrary bytes into read-only files, including those they cannot normally modify.

Definition

Dirty Pipe (CVE-2022-0847) is a Linux kernel vulnerability that lets an unprivileged user overwrite data in arbitrary read-only files. The bug is in the kernel's pipe-buffer initialisation: a specific sequence of `splice()` + `write()` operations leaves a pipe buffer flagged `PIPE_BUF_FLAG_CAN_MERGE` while still pointing at the page cache of a read-only file. A subsequent `write()` to the pipe modifies the underlying page cache, which the kernel later flushes to disk.

The bug affects kernels from 5.8 onwards (kernel 5.16.11, 5.15.25, 5.10.102 fix it). It is a clean and reliable privilege-escalation primitive — overwriting `/etc/passwd`, `/usr/bin/su`, or a SUID binary delivers root.

Mitigation

Patch the kernel to a fixed version.

See also

References