Looks like Pixel 6 and Galaxy S22 owners may have another security vulnerability to contend with.
Security researcher and Northwestern University PhD student Zhenpeng Lin posted a video on Twitter showcasing the vulnerability. Lin claims the vulnerability can enable arbitrary read and write, privilege escalation, and disable SELinux security protections. In other words, it’s a doozy.
Android Police notes that none of the technical details about the vulnerability have been published. However, the vulnerability impacts Android devices running with Linux kernel version based on version 5.10 — namely, the Pixel 6 series, Galaxy S22 line, and some others. You can check your kernel version by heading to Settings > About phone > Android version > Kernel version.
Moreover, Android Police reports that the vulnerability appears to use some sort of memory access exploit, indicating it could be similar to the Dirty Pipe security flaw that plagued new Pixel and Galaxy smartphones earlier this year.
The latest Google Pixel 6 pwned with a 0day in kernel! Achieved arbitrary read/write to escalate privilege and disable SELinux without hijacking control flow. The bug also affects Pixel 6 Pro, other Pixels are not affected 🙂 pic.twitter.com/UsOI3ZbN3L
— Zhenpeng Lin (@Markak_) July 5, 2022
There’s also some debate over whether Lin’s Twitter post violates Google’s disclosure rules for security bugs. Lin told Android Police that the post was a “proof of concept” and he believes it doesn’t violate the rules. Additionally, Lin said he disclosed the flaw to Google on July 5th.
However, as Android Police notes, Google’s rules request “reasonable advance notice” and that reports going against this “usually don’t qualify.” In other words, it sounds like a public disclosure before alerting Google could impact reward payouts. Typically with security exploits, researchers only issue public disclosures as a final attempt to get companies to fix the flaw. Most tech companies offer disclosure programs and bug bounties and encourage researchers to disclose exploits to them first, then go public once a fix is available. Google’s internal research division, Project Zero, has a 90-day response policy for vulnerabilities that aren’t actively being exploited, and a seven-day policy for actively-exploited flaws.
Finally, Android Police notes that given the timeline and how Google’s security patches work, the issue might not be addressed until September. However, other manufacturers might be able to pull the fix into their own patches earlier, such as what Samsung did with Dirty Pipe.