Overview
Dirty Pipe (CVE-2022-0847) remains a significant threat in 2025 for organizations running legacy Linux kernels, particularly IoT, embedded, and long-term-support industrial environments. The vulnerability allows any local user to overwrite read-only file contents — including /etc/passwd and SUID binaries.
Why It Is Still Relevant in 2025
- IP cameras, routers, and PLCs often run kernel 5.8–5.16 with no available update path
- Android devices running kernel below 5.16.11 remain vulnerable
- Legacy RHEL/CentOS environments not yet migrated to RHEL 9
Root in 30 Seconds
gcc -o exploit exploit-1.c
./exploit /usr/bin/sudo # Overwrites SUID binary → instant root shell
Affected Kernels
- Linux 5.8 – 5.16.10 — VULNERABLE
- Linux 5.16.11, 5.15.25, 5.10.102+ — PATCHED
Mitigations for Unpatched Systems
- Upgrade the kernel — the only true fix
- Restrict shell access to trusted users only
- Deploy SELinux or AppArmor policies to limit pipe-based abuse
- Use Falco or Tetragon for runtime detection
- Audit SUID binaries regularly:
find / -perm -4000 -type f 2>/dev/null