CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel

Last week, security researcher Max Kellermann discovered a high severity vulnerability in the Linux kernel, which was assigned the designation CVE-2022-0847. It affects the Linux kernels from 5.8 through any version before 5.16.11, 5.15.25 and 5.10.102, and can be used for local privilege escalation. The vulnerability resides in the pipe tool, which is used for unidirectional communication between processes, so the researcher called it “Dirty Pipe”. Although the flaw is fixed in the latest Linux kernel versions, and, according to our data, there is no mass exploitation of this vulnerability at the moment, a detailed description and a working POC are available online, which increases the risk of this vulnerability being exploited by attackers.

Kaspersky products protect against attacks leveraging the Dirty Pipe vulnerability. The detection verdicts are:

  • HEUR:Exploit.Linux.CVE-2022-0847.a
  • HEUR:Exploit.Linux.CVE-2022-0847.b
  • HEUR:Exploit.Linux.CVE-2022-0847.с
  • HEUR:Exploit.Linux.CVE-2022-0847.gen

Dirty Pipe technical details

An unprivileged local user could use the Dirty Pipe flaw to write to pages in the page cache backed by read-only files and as such, escalate their privileges on the system. This vulnerability happens due to usage of partially uninitialized memory of the pipe buffer structure during its construction. A lack of zero initialization of the new structure’s member results in a stale value of flags, which can be abused by an attacker to gain write access to pages in the cache even if they originally were marked with a read-only attribute.

There are plenty of ways for attackers to gain the root privileges using this vulnerability, such as unauthorized creation of new cron jobs, SUID binary hijacking, /etc/passwd modification, and so on.

A working version of the Dirty Pipe exploit is already available on various security-related sites and repositories, so it can be used by attackers ITW.

Dirty Pipe mitigations

To ensure that your corporate infrastructure is protected against this and similar threats:

  • Apply all relevant security updates once they are available. To patch CVE-2022-0847, update your Linux systems to versions 5.16.11, 5.15.25 and 5.10.102 or newer.
  • Use a security solution that provides patch management and endpoint protection, such as Kaspersky Endpoint Security for Linux.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.

IOCs (MD5 hashes of CVE-2022-0847 exploits)


CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox