Google released the Android security update on Monday, which fortunately was rolled out to the Pixel 6 smartphones on the same day and brought some improvements with it. Unfortunately, the currently most important security gap on smartphones is still left open and there are indications that this is again due to Tensor and its update problems.
Security gaps are something completely every day and can be found statistically in every digital product if you only look for them for a long time. But there are also particularly serious vulnerabilities that offer attackers a wide range of possibilities and are widespread – this includes the Dirty Pipe vulnerability discovered a few weeks ago. This would allow attackers to take full control of the system.
Dirty Pipe is a serious vulnerability in the current Linux kernel and therefore only affects relatively new devices, including the Samsung Galaxy S22 and Pixel 6 smartphones. But while Samsung claims to have already filled the gap and solved the problem with the April update, things are very different with Google. There is no mention of dirty pipe in the official update lists and a look at the kernel shows that it has not been touched.
The Dirty Pipe vulnerability – tracked by CVE-2022-0847 – isn’t mentioned in the April 2022 ASB, though a patch for it is in android12-5.10-2022-03_r1 and has been backported to android12-5.10-2022-01_r4, android12-5.10-2022-02_r2, and android12-5.10-2021-11_r10. https://t.co/xnMEemMuVY
— Mishaal Rahman (@MishaalRahman) April 4, 2022
Although Google delivered the security update on time, it still leaves the currently most serious vulnerability open. If there were no other way technically, that might be acceptable. But Samsung shows that the gap can be closed: More than that, Samsung’s patch consists of the official Android fix provided by Google.
So let’s be clear: Google has patched the vulnerability in Android, but has not applied this fix to its own Pixel 6 smartphones. The assumption is that this again has something to do with Tensor, the first Google SoC. In the past few months, this chip has ensured that Google has not been able to deliver the updates on time or in full. It is quite possible that there were also problems with the dirty pipe fix.
It’s a curious situation that Samsung was able to fix the problem with Google’s help, but Google wasn’t able to fix it with Samsung’s help. Tensor is based on Samsung technology and Google works closely with the South Koreans for updates. Of course, the smartphone manufacturer Samsung cannot be compared with the component manufacturer Samsung, but it is still a very unpleasant situation that Google will probably have to wait another month.
Another update may follow in the next two weeks. We do not know it. Pixel 6 users are now used to the fact that Google’s communication is not the very best and that problems are hushed up until a fix can be announced. Hopefully soon.