Support our independent tech coverage. Chrome Unboxed is written by real people, for real people—not search algorithms. Join Chrome Unboxed Plus for just $2 a month to get an ad-free experience, access to our private Discord, and more. Learn more about membership here.
START FREE TRIAL (MONTHLY)START FREE TRIAL (ANNUAL)
A Linux vulnerability referred to as “Dirty Pipe” (CVE-2022-0847), has recently been publicly disclosed affecting kernels higher than 5.8, which can grant any attacker root privileges to your device. This exploit, first reported by known security researcher Max Kellerman, has been coined the biggest security threat to Linux in years and can affect any Linux-powered device, such as Chromebooks and Android devices.
Thankfully, after discovering the vulnerability back in February, Kellerman sent a bug report and a patch to the Linux kernel security team, only to discover that the bug could also be reproduced on the Google Pixel 6 as well. Following this, Kellerman immediately reported this to the Android Security Team, which merged his bug fix into the Android kernel.
As discovered by 9to5Google, The Chrome OS team also picked up the fix on March 7th and seems to have it scheduled to roll out as an incremental update to Chrome OS 99, which just hit the Stable channel yesterday. As far as Android goes, the bug only affects newer kernels and most Android devices are using an older version — except the Samsung Galaxy S22 and the Google Pixel 6 series — which as we have become painfully aware won’t be receiving an update until later this month. According to Google though, the Pixel 6 update delay has nothing to do with the timing of this patch.
How can I keep my Chromebook and/or Pixel 6 safe?
Even though this exploit is very recent and there have been no reported cases where it has been used nefariously, it is always better to remain cautious in these cases. First, you will want to check if your device could potentially be at risk from “Dirty Pipe”. We know the two Android devices that are at risk, but if you want to verify this on your Chromebook, 9to5Google gives a very simple how-to below:
On Chrome OS, open a new tab and navigate to chrome://system and scroll down to “uname.” If the number after “Linux localhost” is higher than 5.8, your device may be affected.
9to5Google
For now, and until a patch is applied, the best way to keep your device safe is to avoid running apps that request access to your device’s files unless it’s an app you know and trust. The information is out there now on how to use this exploit, so it is not unlikely that a bad actor will try to take advantage of it. Please be careful and watch this space for any new developments on this front.
SUBSCRIBE TO UPSTREAM
Get Chrome Unboxed delivered straight to your inbox
Upstream is our flagship, curated newsletter with the top stories, most click-worthy deals, giveaways, and trending articles from Chrome Unboxed sent directly to your inbox a few times a week. Join 31,000+ subscribers.
