Linux “Dirty Pipe” CVE-2022-0847 Vulnerability Exploitation Explained

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On March 7, 2022, Max Kellerman from CM4All disclosed a local privilege escalation vulnerability (CVE-2022-0847) found in Linux kernel version 5.8 and newer [1]. This vulnerability allows attackers to overwrite read-only or immutable files and escalate their privileges in the victim’s system. CVE-2022-0847 vulnerability is named Dirty Pipe and has a CVSS score of 7.8 (high) [2]. 

Validate your security controls against CVE-2022-0847 exploits

What are Pipe, Page, and splice() in Linux?

A pipe is a unidirectional and inter-process communication method in Linux. It allows a process to take input from the previous one using a pipe buffer.

In the example below, the cat command's output is used as the input of the grep command using a pipe.

$ cat test.txt                                                                                                                               
Hello World!
Hello Earth!

$ cat test.txt | grep Earth                                                                                                                  
Hello Earth!

A page is a 4096-byte block of data. The Linux kernel breaks up the data into pages and operates on pages instead of dealing with the entire file at once. In the pipe mechanism, there is a flag called PIPE_BUF_FLAG_CAN_MERGE that indicates whether merging more data into the pipe buffer is allowed or not. When data is copied to a pipe buffer, more data can be added to the pipe buffer if the copied page is less than 4096 bytes in size.

splice() is a Linux system call that can move data from or to the pipe. This system call transfer data using the pass-by-reference method. Instead of copying a page every time, it gives a reference to the page that is to be transferred to pipe. 

What is Dirty Pipe (CVE-2022-0847) Vulnerability?

Dirty Pipe is a local privilege escalation vulnerability affecting Linux kernel versions 5.8 or newer. The vulnerability is patched in Linux versions 5.16.11, 5.15.25, and 5.10.102. CVSS score of the vulnerability is 7.8(high).  CVE-2022-0847 vulnerability is named Dirty Pipe because of its similarity to Dirty Cow (CVE-2016-5195) vulnerability [3]. 

Here is how Dirty Pipe vulnerability exploitation works:

  • Create a pipe
  • Copy arbitrary data into the pipe and set the PIPE_BUF_FLAG_CAN_MERGE flag to 1 for all instances.
  • Drain the pipe
      • Normally, the flag should be reset. However, the Dirty Pipe vulnerability causes the flag to stay as set to 1.
  • Transfer a read-only file to the pipe using splice() system call.
  • Modify the read-only file.
    • Since the splice() system call uses the pass-by-reference method, the attacker can overwrite the file due to the PIPE_BUF_FLAG_CAN_MERGE flag.

Using Dirty Pipe vulnerability, an attacker with unprivileged access to the victim system can elevate its privileges to the root level. 

How to Protect Your Organization From Dirty Pipe Vulnerability Exploits?

To protect against exploitation of CVE-2022-0847 Dirty Pipe vulnerability, we highly advise organizations to identify vulnerable systems on their networks and update them. Since Linux is also used in many mobile devices, the relevant patches should be applied.  

How Picus Helps Simulate Dirty Pipe Vulnerability Exploits?

Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods.


1. Let's look at Dirty Pipe vulnerability exploitation attack simulation in Picus Threat Library. To see the Threat Library, click on Threats.

Step 1 image

2. Picus Threat Library includes five main threat categories. Dirty Pipe attack simulation is classified under Vulnerability Exploitation category. Click on Vulnerability Exploitation to list the attacks.

Step 2 image

3. The latest vulnerability exploitation attacks are listed here. Let's look into Dirty Pipe vulnerability attack simulation by clicking highlighted area. It will open threat detail for the simulation.

Step 3 image

4. Under Overview tab, the simulation details are available. Let's click Assess to go to assessment screen.

Step 4 image

5. Under Assess tab, you can run attack simulations any time you want. Click on Assess to run simulation for Dirty Pipe vulnerability exploitation.

Step 5 image

6. Assessment is finished and the result is "Not Blocked" as indicated by the red icon. But don't worry. Picus also gives actionable prevention suggestions.
Let's click Prevention tab to see these how to prevent simulated attack.

Step 6 image

7. With few clicks, we quickly simulated Dirty Pipe vulnerability exploitation attack and obtained actionable prevention suggestions.

Click here to request your free Picus demo to test your security control against cyber threats.

Step 7 image

Here's an interactive tutorial

** Best experienced in Full Screen (click the icon in the top right corner before you begin) **


Picus Labs advises you to simulate Dirty Pipe CVE-2022-0847 vulnerability exploitation attack and determine the effectiveness of your security controls against it.

Threat Name

Linux Kernel Dirty Pipe Elevation of Privilege Vulnerability


[1] “The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation.” [Online]. Available:

[2] “NVD - CVE-2022-0847.” [Online]. Available:

[3] “NVD - CVE-2016-5195.” [Online]. Available: