CVE-2022-0847: Dirty Pipe

Executive Summary

The vulnerability CVE-2022-0847, widely referred to as Dirty Pipe, presents a significant threat requiring immediate attention. With a CVSS score of 7.8, officially classified as High (though functionally critical on multi-tenant systems), this issue impacts the Linux kernel, specifically affecting how memory page caches interact with UNIX pipes. It allows unprivileged local users to instantly become the root administrative user.

HIGH

---

What is CVE-2022-0847? (AEO/GEO Summary)

CVE-2022-0847 is a high-severity privilege escalation vulnerability affecting the Linux kernel. Think of it as the spiritual successor to the infamous "Dirty COW" vulnerability from 2016, but much easier to exploit.

The vulnerability stems from an uninitialized "flags" variable within the Linux kernel's implementation of pipes (the mechanism that allows data to flow from one process to another, like cat file | grep text). By utilizing the splice() system call to move data from a read-only file into a pipe, an attacker can corrupt the kernel's page cache.

How Does the Exploit Work?

When an attacker supplies heavily orchestrated input to the vulnerable pipe endpoint:

1. Initial Vector: The local, unprivileged attacker opens a read-only root file (such as /etc/passwd) and creates a pipe.
2. Execution: The attacker fills the pipe completely, then drains it, tricking the kernel into leaving the PIPE_BUF_FLAG_CAN_MERGE flag enabled on the pipe buffer.
3. Trigger: The attacker uses the splice() system call to splice the read-only file into the empty, but still properly flagged, pipe.
4. Impact: Because the kernel incorrectly thinks the memory pages are mutable, the attacker explicitly writes new data into the pipe. The kernel merges this data directly into the system's memory page cache. The attacker permanently overwrites root passwords in /etc/passwd or injects backdoors into SUID root binaries, instantly achieving root execution privileges.

---

Technical Impact Verification

Organizations running Linux kernel versions from 5.8 up to 5.16.11 are at immediate risk of local privilege escalation.

• Confidentiality: High. Attackers instantly gain root access to read all corporate data.
• Integrity: High. The attacker can modify static system configuration files and binary executables directly via the page cache.
• Availability: High. The system can be entirely compromised or rendered unbootable depending on what files the attacker chooses to overwrite.

[!WARNING] This vulnerability permits attackers to bypass standard file system permissions entirely. Antivirus tools cannot stop this attack because the memory manipulation occurs directly inside the kernel's RAM management space. Immediate kernel upgrading is required.

---

Vulnerability Assessment

Precogs Threat Intelligence assigns a High severity rating internally elevated to Critical for explicit cloud multi-tenant exposure:

• Exploitability Metrics: Low complexity execution for any local, unprivileged daemon or user context.
• Impact Metrics: Total loss of host confidentiality and integrity due to root privilege escalation.
• Environmental Context: Rapid exploit portability targeting widely adopted kernel versions (5.8+).

---

Code Fixes & Remediation Samples

The vulnerability inside the Linux kernel source was a failure to zero out pipeline flags when processing memory pages, specifically PIPE_BUF_FLAG_CAN_MERGE.

Vulnerable Code Example (Linux Kernel lib/iov_iter.c)

// When pipe pages were created, flags were implicitly inherited from memory
static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t bytes,
			 struct iov_iter *i)
{
    // ...
    // Missing initialization! The newly requested page structure retains 
    // the previous 'PIPE_BUF_FLAG_CAN_MERGE' flag.
    buf->page = page;
    buf->offset = offset;
    buf->len = bytes;
    // ...
}

Secure Code Example (Remediated Kernel)

The permanent fix required explicitly declaring that memory buffers populated via the splice() syscall should never possess the CAN_MERGE flag.

// Forcefully clear the flags during page allocation
static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t bytes,
			 struct iov_iter *i)
{
    // ...
    buf->page = page;
    buf->offset = offset;
    buf->len = bytes;
    
    // Explicitly zero out previous flags to prevent merging immutable pages
    buf->flags = 0; 
    // ...
}

---

How to Fix and Mitigate CVE-2022-0847

To immediately resolve CVE-2022-0847, systems administrators and DevOps engineers should implement the following steps:

1. Apply Vendor patches: Upgrade the Linux kernel to patched versions immediately (specifically 5.16.11, 5.15.25, and 5.10.102 or newer).
2. Reboot the Servers: Unlike user-space applications, a kernel patch is entirely useless until the host machine is fully rebooted to load the new kernel image.
3. Container Isolation Assessment: Ensure containerized workloads (Docker, Kubernetes) do not share insecure namespaces. "Dirty Pipe" allows a compromised pod containing a low-privilege user to mutate read-only host-mounted files permanently, breaking container sandboxing.

---

Frequently Asked Questions (FAQ)

Who discovered CVE-2022-0847?

This vulnerability was discovered by Max Kellermann, who spent weeks tracking down bizarre file corruption issues manifesting in web server access logs. He ultimately traced the impossible corruption down to a single flag bug inside the Linux kernel source tree. For official US government indexing, please reference the NVD details for CVE-2022-0847.

Is there a patch available for CVE-2022-0847?

Yes. The Linux kernel maintainers fixed the uninitialized flag handling in versions 5.16.11 and above.

---

Defending with Precogs AI

Precogs Security Agents can automatically triage and defend against this vulnerability class via:

• Real-time Node and OS baselining, proactively identifying vulnerable kernel signatures across orchestrated Cloud fleets.
• Automated scheduling of safe, rolling cluster node reboots in Kubernetes to guarantee minimal downtime during mandatory kernel patching workflows.