Dirty Pipe vulnerability

CoreELEC use Kernel 4.9.269 and the Dirty Pipe vulnerability was fixed with Kernel 4.9.303.

When can we expect a kernel update?

Over the night.

Nightly or stable?

Both by lib/iov_iter: initialize "flags" in new pipe_buffer · CoreELEC/linux-amlogic@c461a82 · GitHub

Just to make you aware:
Kernel 4.9 had the uninitialized flags, but weakness could not be exploited.
This only started with Kernel 5.8 and a certain commit.
see https://dirtypipe.cm4all.com/
So the backport of the fix is not critical.