As part of the Android 12 QPR3 Beta which previews the June Feature Drop, Google appears to be testing a fix for the major Dirty Pipe exploit affecting Pixel 6 and Pixel 6 Pro.
Last month, security researchers shared details of an exploit — dubbed “Dirty Pipe” — that would allow an attacker to gain full control of a Linux-based device, including Chromebooks and Android phones. Fortunately, the list of affected Android devices was quite small, limited only to those with a fairly recent version of the Linux kernel, but this meant that the latest flagships from Google and Samsung, the Pixel 6 and Galaxy S22 series respectively, were vulnerable.
The fix for Dirty Pipe was privately shared with Google in February and accepted into Android later that month. This led some to believe that the fix for Dirty Pipe would be included with either the March or April security patches for the Pixel series, but this was not the case. Meanwhile, Samsung has since claimed to have patched Dirty Pipe for the Galaxy S22 in its April update.
As Dirty Pipe is an issue in the core Linux kernel that Android is built upon, any fix for it will require an update to the Linux kernel. Conveniently, Google includes a date with their Linux kernel build names, which can be found in Settings > About Phone > Android version > Kernel version. While using the April 2022 update, you’ll see a listed date of January 21, 2022, over a month before Dirty Pipe was first reported to Google.
This morning, Google released its second beta release of the next Android 12 based Feature Drop — dubbed “QPR3” for “Quarterly Platform Release” — for Pixel phones, set to release in June. With this latest beta update installed on the Pixel 6 or 6 Pro, viewing the kernel version reveals that the new build is from March 15.
At this point, we haven’t been able to confirm whether the patch for Dirty Pipe is in place, but it seems like a near certainty that a build from March would include critical fixes from February. We’ve reached out to Google for confirmation of the fix being in place for QPR3, but they have not yet responded.
Another lingering question is whether Pixel 6 owners who aren’t enrolled in the beta will need to wait until the Feature Drop in June or if the May security patch will bring the fix. With any luck, it will be the latter, given the severity of the Dirty Pipe exploit and its potential for an attacker to take full control of a device without any special permissions.
More on Pixel:
FTC: We use income earning auto affiliate links. More.
Check out 9to5Google on YouTube for more news: