CVE-2022-0847 Overview
CVE-2022-0847, widely known as "Dirty Pipe," is a critical Linux kernel vulnerability affecting the pipe buffer initialization mechanism. The flaw exists in the copy_page_to_iter_pipe and push_pipe functions where the "flags" member of the new pipe buffer structure lacks proper initialization and can contain stale values. This allows an unprivileged local user to write to pages in the page cache backed by read-only files, enabling full privilege escalation on vulnerable systems.
Critical Impact
This vulnerability enables unprivileged local users to overwrite data in read-only files, including SUID binaries, leading to complete system compromise through privilege escalation to root.
Affected Products
- Linux Kernel (versions 5.8 through patched versions)
- Red Hat Enterprise Linux 8.x and various EUS releases
- Fedora 35
- NetApp H-Series Storage Systems (H300S, H500S, H700S, H300E, H500E, H700E, H410S, H410C)
- Siemens SCALANCE LPE9403
- SonicWall SMA1000
- oVirt Engine 4.4.10.2
- Red Hat Virtualization Host 4.0
Discovery Timeline
- 2022-03-10 - CVE-2022-0847 published to NVD
- 2025-11-06 - Last updated in NVD database
Technical Details for CVE-2022-0847
Vulnerability Analysis
The Dirty Pipe vulnerability represents a fundamental flaw in Linux kernel memory management related to pipe operations. When the kernel creates new pipe buffer structures, the flags member is not properly initialized, allowing it to inherit stale values from previous operations. This improper initialization (CWE-665) enables attackers to manipulate the PIPE_BUF_FLAG_CAN_MERGE flag, which controls whether data can be merged into existing pipe buffer pages.
The vulnerability is particularly dangerous because it allows modification of page cache pages that back read-only files. Since the page cache is shared across the system, any file opened for reading—including privileged binaries and system configuration files—can potentially be corrupted by an unprivileged user.
Root Cause
The root cause lies in the improper initialization of the pipe_buffer structure's flags member within the Linux kernel's pipe implementation. Specifically, when new pipe buffers are allocated in copy_page_to_iter_pipe and push_pipe functions, the flags field retains stale values from memory rather than being explicitly zeroed. This allows the PIPE_BUF_FLAG_CAN_MERGE flag to be set even when it shouldn't be, enabling unauthorized write operations to page cache entries.
Attack Vector
The attack requires local access to the system with unprivileged user credentials. An attacker exploits the vulnerability through the following mechanism:
- The attacker opens a target read-only file (such as /etc/passwd or a SUID binary)
- The file's contents are loaded into the page cache
- The attacker creates a pipe and fills it in a specific way to set the PIPE_BUF_FLAG_CAN_MERGE flag
- Using the splice() system call, the attacker directs the pipe to reference the page cache page of the target file
- Due to the improperly set merge flag, subsequent writes to the pipe overwrite the page cache contents
- The changes persist in the page cache, affecting all processes accessing that file
This attack can be weaponized to modify SUID binaries, inject malicious code, or alter system configuration files to achieve root access. Multiple proof-of-concept exploits are publicly available, including variants targeting SUID binary hijacking and direct privilege escalation techniques documented in Packet Storm Security.
Detection Methods for CVE-2022-0847
Indicators of Compromise
- Unexpected modifications to read-only system files including /etc/passwd, /etc/shadow, or SUID binaries
- Anomalous splice() system call patterns from unprivileged processes
- Suspicious pipe operations followed by file access patterns targeting privileged files
- Unauthorized privilege escalation events or new root-level processes spawned by non-root users
Detection Strategies
- Monitor for exploitation attempts using kernel audit rules targeting splice() system calls combined with pipe and file operations
- Deploy file integrity monitoring (FIM) on critical system files and SUID binaries to detect unauthorized modifications
- Implement behavioral analysis to detect privilege escalation patterns where unprivileged processes gain elevated permissions
- Review system logs for unusual process lineage showing low-privilege users spawning root shells
Monitoring Recommendations
- Enable auditd rules to log all splice() system calls: auditctl -a always,exit -F arch=b64 -S splice -k dirty_pipe
- Configure real-time alerts for modifications to /etc/passwd, /etc/shadow, and files in /usr/bin/ with SUID bits
- Monitor process execution chains for indicators of successful exploitation (e.g., unprivileged user → root shell)
- Implement kernel-level monitoring using eBPF or similar technologies to detect pipe buffer manipulation patterns
How to Mitigate CVE-2022-0847
Immediate Actions Required
- Apply kernel patches immediately from your distribution vendor (Red Hat, Ubuntu, SUSE, etc.)
- Verify kernel version is patched using uname -r and comparing against vendor security advisories
- Audit systems for signs of exploitation using file integrity checks on SUID binaries and critical configuration files
- Consider temporarily removing SUID bits from non-essential binaries as a defense-in-depth measure
Patch Information
Patches have been released by all major Linux distributions. The vulnerability was fixed in the upstream Linux kernel, and backported patches are available from:
- Red Hat Bugzilla Advisory - Red Hat Enterprise Linux patches
- SUSE Support Article - SUSE Linux Enterprise patches
- NetApp Security Advisory NTAP-20220325-0005 - NetApp storage system firmware updates
- SonicWall Advisory SNWLID-2022-0015 - SonicWall SMA1000 patches
- Siemens Advisory SSA-222547 - SCALANCE LPE9403 firmware updates
This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, requiring federal agencies to remediate within prescribed timelines.
Workarounds
- Restrict local user access to minimize attack surface until patches can be applied
- Implement additional access controls using SELinux or AppArmor to limit which processes can use splice() on sensitive files
- Monitor and alert on privilege escalation attempts using endpoint detection solutions
- Consider deploying container isolation with limited kernel capabilities to reduce exploitation impact in containerized environments
# Check current kernel version
uname -r
# Verify if system is vulnerable (kernels 5.8 through unpatched versions)
# Update kernel on RHEL/CentOS
sudo yum update kernel
# Update kernel on Ubuntu/Debian
sudo apt update && sudo apt upgrade linux-image-generic
# Audit SUID binaries for integrity
find / -perm -4000 -type f -exec sha256sum {} \; 2>/dev/null > /tmp/suid_hashes.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
