Skip to content

Defense Digests

Linux Dirty Pipe Vulnerability

Dataprise Defense Digest 550x550

Table of content


On March 8th, 2022 researchers discovered a vulnerability that allows for overwriting arbitrary read-only values, including /etc/shadow, allowing unprivileged actors to overwrite values and execute privileged processes as root. This vulnerability is considered high severity and affects all Linux kernel versions since 5.8. This vulnerability requires a user to have access to at least a low-level authorized user account to escalate privileges, therefore this vulnerability is assessed to be a High priority for patches and a Medium priority for exploitation as Proof of Concept code is available.

Severity: 8 (High)


Privilege Escalation; Low privilege authenticated users can run processes or inject data as root


Pipe buffer flags allow merging commands which can allow instructions in the 4kb memory page buffer to overflow and write to additional processes or files as root. The practical application of this vulnerability is to overwrite the /etc/shadow file, or to tie in a process execution allowing for the process to be run with root privileges for any file or process currently in the page cache.

This vulnerability is in Linux kernels 5.8 and higher due to an uninitialized “pipe_buffer.flags” variable.

**NOTE: The file write or process executed cannot be run outside of the page boundary, i.e. no execution or writes across multiple pages of memory. All execution is limited to the 4kb block targeted.


Any system using Linux kernels 5.16.11, 5.15.25, and 5.10.102, or below are vulnerable. Unfortunately, server admins continue to run outdated kernels and this can be significantly disruptive to update.

This is especially troubling for web hosting providers offering shell access.


Update to Linux kernels 5.16.11, 5.15.25, and 5.10.102.

SOURCES (Detailed technical release from vulnerability discovery) (POC code)



  • Bryan Austin, Senior Cybersecurity Project Engineer
  • Sam Bourgeois, vCISO
  • Stephen Jones, Vice President – Cybersecurity Services

If you have any questions, please reach out to the Dataprise Security Operations Center at [email protected].

Recent Tweets


Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.