Although updates for Pixels and Samsung's phones have been rolling out with the April 2022 patch levels included, there's been a lot of confusion about one important and high-profile security vulnerability. Although the Android Security Bulletin for April has been published today, it does not state that it addresses the Dirty Pipe vulnerability, which can be used for arbitrary code execution. Samsung, on the other hand, says that Google's patches in the April bulletin do address Dirty Pipe, and the Galaxy S22 series is no longer affected.

For the uninitiated, Google puts together a big "patch level" for Android that includes fixes for security vulnerabilities every month. Smartphone makers get access to it early to roll out updates in a coordinated way at the beginning of each month — assuming they deliver monthly updates. (Some manufacturers roll up these changes for less premium devices and deliver them every two months, or once a quarter.) Every month, Google publishes a bulletin that explains which vulnerabilities have been addressed across the monthly patch levels provided. The notes each month state the type of vulnerability, severity, and CVE identifier assigned to it, and this month's notes from Google for April 2022 are missing CVE-2022-0847.

That identifier is tied to the Dirty Pipe vulnerability, which researchers have exploited to fully root a Google Pixel 6 Pro and Samsung's Galaxy S22 series by taking advantage of a bug in how Linux handles reading and writing to files. Done right, the exploit can allow privilege escalation and arbitrary code execution — scary terms that essentially mean a malicious actor can use the exploit to gain full control of a system (and enthusiasts might use it to get root access).

With the extensive documentation currently available regarding the exploit and its impact across systems running specific versions of the Linux kernel, it may be under active "in the wild" use by malicious actors, though it's less likely that anyone is currently using it to target Android phones. The vulnerability requires a very recent version of the Linux kernel, and Android phones tend to "live" on a single version for most of their lives. Excluding the Pixel 6 and its Generic Kernel Image support, only phones with a Snapdragon 8 Gen 1 that launched on Android 12 or later should be affected. That includes the Galaxy S22 series, Xiaomi 12 Pro, OnePlus 10 Pro, and Google's Tensor-powered Pixel 6 and 6 Pro.

The April 2022 Android Security Bulletin does not include fixes for the CVE that corresponds to the Dirty Pipe vulnerability, nor are they mentioned in the separate and device-specific Pixel Update Bulletin. Esper.io's Mishaal Rahman has further confirmed that the kernel build date and tags for the current patch on the Pixel 6 Pro indicate that it has been unchanged and is unlikely to include fixes for Dirty Pipe. However, Samsung's patch notes and documentation for the April update on the Galaxy S22 series explicitly say it has been fixed there. Even more weirdly, though, Samsung's documentation outright states that Google fixed it on its end with the April 2022 update, disagreeing with Google's own documentation.

In short: Samsung says Google fixed it and, by omission, Google says it didn't.

We have reached out to Google to more explicitly confirm whether the Dirty Pipe vulnerability has been addressed in the latest patch level, as well as if the Pixel 6 is still affected, but representatives from the company have not responded to our (repeated) inquiries. We've further reached out to Samsung for more information when it comes to the S22 series, and the company is looking into the subject.

Samsung might have pulled the fix down early in some way, but the company's documentation still attributes the fix to the April 2022 Android Security Bulletin. It could be that Google did fix the issue for some devices/kernels and not others, or something else could be going on.

Although only a few very recent (and relatively high-end) phones are affected, given the severity of the vulnerability, many customers were hoping that it might be fixed across the board with this month's update, following its public disclosure on March 7th. But the situation is still murky, and though this affects customer security, Google isn't doing much to clear it up.

UPDATE: 2022/04/05 09:47 EST BY RYNE HAGER

Samsung says Google patched it, Google's page disagrees

As spotted by SamMobile, Samsung says it has patched the vulnerability for the Galaxy S22 series in the latest update. Samsung's security updates page even includes the CVE for Dirty Pipe. Most unusually, Samsung explicitly says that fix is part of Google's April 2022 Android Security Bulletin, even though Google's page for precisely that makes no mention of it.

We reached out to Google (again) for more information, but the company is still not responding to our inquiries, even though a little communication could easily iron this out.

Our coverage above has been updated.