CVE-2022-0847
📋 TL;DR
CVE-2022-0847 (Dirty Pipe) is a Linux kernel vulnerability that allows unprivileged local users to write to read-only files in the page cache, enabling privilege escalation to root. This affects Linux systems with kernel versions 5.8 through 5.16.11, 5.15.25, and 5.10.102. Any system with these kernel versions is vulnerable by default.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Real Time For Nfv by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv →
Enterprise Linux For Real Time For Nfv Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv Tus →
Enterprise Linux For Real Time For Nfv Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv Tus →
Enterprise Linux For Real Time Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time Tus →
Enterprise Linux For Real Time Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time Tus →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Fedora by Fedoraproject
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root privileges, allowing attackers to modify critical system files, install persistent backdoors, or access all data on the system.
Likely Case
Local privilege escalation from unprivileged user to root, enabling attackers to bypass security controls and gain full system access.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though the vulnerability still provides a path to privilege escalation.
🎯 Exploit Status
Multiple public exploits are available, including proof-of-concept code that reliably achieves privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions 5.16.12, 5.15.26, 5.10.103 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2060795
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version via distribution package manager. 2. For RHEL/CentOS: 'yum update kernel'. 3. For Ubuntu/Debian: 'apt update && apt upgrade linux-image-*'. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Restrict user access
linuxLimit local user access to systems until patched
Disable unprivileged user namespaces
linuxSome exploit variants may use user namespaces
sysctl -w kernel.unprivileged_userns_clone=0
🧯 If You Can't Patch
- Implement strict access controls to limit local user accounts
- Monitor for privilege escalation attempts and unusual file modifications
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and compare against affected versions. Test with public PoC if needed.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 5.16.12, 5.15.26, 5.10.103 or later with 'uname -r'📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- Modifications to read-only system files
- Failed sudo/su attempts followed by successful root access
Network Indicators:
- Not applicable - local exploit only
SIEM Query:
Search for: kernel version changes, privilege escalation events, or modifications to /etc/passwd, /etc/shadow, or other critical read-only files🔗 References
- http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/176534/Linux-4.20-KTLS-Read-Only-Write.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2060795
- https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
- https://dirtypipe.cm4all.com/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015
- https://security.netapp.com/advisory/ntap-20220325-0005/
- https://www.suse.com/support/kb/doc/?id=000020603
- http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html
- http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html
- http://packetstormsecurity.com/files/176534/Linux-4.20-KTLS-Read-Only-Write.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2060795
- https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
- https://dirtypipe.cm4all.com/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015
- https://security.netapp.com/advisory/ntap-20220325-0005/
- https://www.suse.com/support/kb/doc/?id=000020603
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0847
