Back to Intelligence

CVE-2022-0847: Linux Kernel Dirty Pipe Exploit — Detection and Hardening Guide

SA
Security Arsenal Team
May 29, 2026
6 min read

A critical vulnerability has been weaponized in the wild, allowing unprivileged local users to overwrite data in read-only files, leading to full root privilege escalation. tracked as CVE-2022-0847 and dubbed "Dirty Pipe," this flaw impacts a wide range of Linux kernels. For SOC analysts and systems administrators, this is not a theoretical risk—it is a functional exploit (Exploit-DB 52591) that bypasses standard file permissions.

Introduction

The "Dirty Pipe" vulnerability (CVE-2022-0847) represents a significant failure in the Linux kernel's memory management subsystem, specifically regarding how the pipe_buffer structure handles page flags. By exploiting an uninitialized variable in the copy_page_to_iter_pipe function, an attacker can force the kernel to append data to a page cache that is backing a read-only file.

The practical implication is severe: an attacker with low-level privileges (e.g., a standard www-data user or a compromised user account) can inject code into SUID-root binaries or modify critical system files like /etc/passwd to create a new root user. This bypasses standard discretionary access controls (DAC) and renders many traditional containment strategies ineffective. Immediate patching and active threat hunting are required to ensure compromise has not already occurred.

Technical Analysis

  • Affected Products: Linux Kernel versions 5.8 through 5.16.11, 5.15.25, and 5.10.102.
  • CVE Identifier: CVE-2022-0847
  • CVSS Score: 7.8 (High)
  • Attack Vector: Local. No user interaction is required beyond the ability to execute code on the target.
  • Mechanism: The vulnerability resides in the copy_page_to_iter_pipe function. When data is spliced into a pipe, the kernel fails to initialize the flags member of the pipe_buffer structure. This allows an attacker to set the PIPE_BUF_FLAG_CAN_MERGE flag on a page buffer that subsequently backs a completely different file. Once set, any subsequent write to the pipe will splice data directly into the backing page cache of the target file, effectively corrupting or overwriting the file's content.
  • Exploitation Status: Confirmed. A functional proof-of-concept is available on Exploit-DB (52591). The exploit is reliable, fast, and does not require race conditions, making it highly stable for attackers.

Detection & Response

Detecting kernel-level memory corruption is challenging without advanced eBPF monitoring. However, the post-exploitation behavior of this exploit is distinct. Attackers typically target /etc/passwd to add a new root user (e.g., rootz:) with a known password hash, or they overwrite SUID binaries to spawn a root shell.

Defenders should focus on File Integrity Monitoring (FIM) alerts for read-only system files and the creation of unauthorized SUID binaries in user-writable directories.

SIGMA Rules

YAML
---
title: Potential Linux Dirty Pipe - Sensitive File Modification by Non-Root
id: 9a2c3d4e-5f6b-4c7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects modification of critical system files like /etc/passwd or /etc/shadow by a process that is not running as root, a common behavior of the Dirty Pipe exploit.
references:
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: linux
  category: file_event
detection:
  selection:
    TargetFilename|contains:
      - '/etc/passwd'
      - '/etc/shadow'
      - '/etc/sudoers'
  filter:
    SubjectUserName: 'root'
  condition: selection and not filter
falsepositives:
  - Legitimate administration tools (rare for these specific files)
level: critical
---
title: Linux SUID Binary Creation in User Directories
id: b1c2d3e4-5f6a-4b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects the creation of files with SUID permissions (4000) in user-writable directories like /tmp or /home, often used as a persistence mechanism after privilege escalation.
references:
  - https://attack.mitre.org/techniques/T1548/001/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.privilege_escalation
  - attack.t1548.001
logsource:
  product: linux
  category: file_event
detection:
  selection:
    TargetFilename|contains:
      - '/tmp'
      - '/home'
    TargetFilename|endswith:
      - 'sh'
      - 'bash'
      - 'python'
  condition: selection
falsepositives:
  - Rare; developers sometimes test SUID binaries in home dirs
level: high

KQL (Microsoft Sentinel / Defender)

Hunt for unauthorized modifications to sensitive files or anomalous process execution patterns indicative of exploit usage.

KQL — Microsoft Sentinel / Defender
// Hunt for modifications to /etc/passwd by non-root users
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath endswith @"/etc/passwd" or FolderPath endswith @"/etc/shadow"
| where InitiatingProcessAccountName != "root" and InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName, ActionType
| extend AlertDetails = "Potential Dirty Pipe Exploitation: Sensitive file modified by non-root user"

Velociraptor VQL

Use VQL to hunt for the resulting artifacts of a successful exploit: specifically, SUID files created in temporary directories and malformed entries in /etc/passwd (e.g., users with UID 0).

VQL — Velociraptor
-- Hunt for SUID files in tmp directories (Persistence/Priv Esc)
SELECT FullPath, Mode, Size, Mtime
FROM glob(globs='/tmp/**', '/var/tmp/**', '/home/*/.cache/**')
WHERE Mode & 04000 != 0

-- Hunt for users in /etc/passwd with UID 0 but not named 'root'
SELECT Line, UID
FROM parse_lines(filename='/etc/passwd')
WHERE UID = '0' AND Line !~ '^root:'

Remediation Script (Bash)

This script checks for vulnerable kernel versions, hunts for indicators of compromise (IOCs) such as the specific modification pattern in /etc/passwd, and checks for unexpected SUID files.

Bash / Shell
#!/bin/bash

# Dirty Pipe (CVE-2022-0847) Response Script
# Usage: sudo ./check_dirty_pipe.sh

echo "[+] Checking Kernel Version..."
KERNEL_VERSION=$(uname -r | cut -d- -f1)

# Function to compare versions
version_ge() {
    test "$1" = "$2" && return 0
    local IFS=.
    local i ver1=($1) ver2=($2)
    for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do ver1[i]=0; done
    for ((i=0; i<${#ver1[@]}; i++)); do
        if [[ -z ${ver2[i]} ]]; then ver2[i]=0; fi
        if ((10#${ver1[i]} > 10#${ver2[i]})); then return 0; fi
        if ((10#${ver1[i]} < 10#${ver2[i]})); then return 1; fi
    done
    return 0
}

# Vulnerable ranges: 5.8 <= v < 5.16.11/5.15.25/5.10.102
# Check if version is >= 5.8
if version_ge "$KERNEL_VERSION" "5.8"; then
    echo "[!] Kernel version $KERNEL_VERSION is in the potentially vulnerable range (5.8+)."
    if version_ge "$KERNEL_VERSION" "5.16.11" || version_ge "$KERNEL_VERSION" "5.15.25" || version_ge "$KERNEL_VERSION" "5.10.102"; then
        echo "[*] However, this specific version appears patched against CVE-2022-0847."
    else
        echo "[ALERT] This kernel version is VULNERABLE to CVE-2022-0847. Patch immediately."
    fi
else
    echo "[*] Kernel version $KERNEL_VERSION is not vulnerable."
fi

echo ""
echo "[+] Checking for dirty pipe artifacts in /etc/passwd (UID 0 non-root)..."
# Dirty pipe often adds a user like "dirtyc0w:" with uid 0
awk -F: '$3 == 0 && $1 != "root" {print "[ALERT] Found non-root user with UID 0: " $1}' /etc/passwd

echo ""
echo "[+] Scanning for suspicious SUID files in /tmp and /home..."
find /tmp /var/tmp /home -perm -4000 -type f 2>/dev/null | while read file; do
    echo "[SUSPICIOUS] SUID file found: $file"
done

echo ""
echo "[+] Remediation: Update kernel via your package manager (apt/yum/dnf) immediately."

Remediation

  1. Patch Immediately: Update the Linux kernel to a patched version.
    • Patched Versions: Upgrade to Linux Kernel 5.16.11, 5.15.25, 5.10.102, or newer. Enterprise distributions (RHEL, Ubuntu, Debian) have released backported security updates for Long Term Support (LTS) kernels. Consult your specific vendor advisory.
  2. Reboot Required: Kernel updates require a system reboot to load the patched code. Schedule downtime for critical infrastructure immediately.
  3. Audit Systems: Run the provided remediation script or manually audit systems for signs of compromise, specifically looking for unauthorized UID 0 accounts in /etc/passwd or unknown SUID binaries.
  4. Workarounds: No effective configuration workaround exists to fully mitigate the memory corruption flaw without patching. Restricting local user access (removing non-essential accounts) reduces the attack surface but does not fix the vulnerability.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurelinux-kernelcve-2022-0847privilege-escalation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action