Critical Zero-Click Exploit Chain Threatens Google Pixel 10 Devices
A recently uncovered zero-click exploit chain targeting Google Pixel 10 devices has raised significant concerns about the security of Android’s core components. Researchers from Google Project Zero have demonstrated how attackers can silently compromise a device and escalate privileges to root access without any user interaction by chaining two specific vulnerabilities.
Background and Initial Exploit
This attack builds upon previous research that targeted Pixel 9 devices, where a vulnerability in the Dolby Media Framework (CVE-2025-54957) allowed for remote code execution. For the Pixel 10, researchers adapted this entry point with minimal modifications, primarily recalculating memory offsets to align with the updated Dolby library.
However, the introduction of Return Address Pointer Authentication (RET PAC) in Pixel 10 devices added complexity to the exploitation process. RET PAC replaces traditional stack protection mechanisms, rendering the usual overwrite target (__stack_chk_fail) unavailable. To circumvent this, researchers identified an alternative function, `dap_cpdp_init`, which could be hijacked without disrupting system stability. This adaptation allowed the zero-click exploit to remain effective on devices running security updates issued before December 2025.
Discovery of a New Privilege Escalation Path
While the initial exploit remained largely unchanged, the privilege escalation stage required a novel approach. The Pixel 10 no longer includes the vulnerable BigWave driver used in earlier attacks. Instead, researchers discovered a critical flaw in a newly introduced driver located at `/dev/vpu`. This driver interfaces with the Chips&Media Wave677DV video processing unit on Google’s Tensor G5 chip.
During a brief audit, Project Zero researchers identified a severe vulnerability in the driver’s memory mapping functionality. The flaw lies in how the driver handles `mmap` requests, specifically failing to validate the size of memory being mapped when calling `remap_pfn_range`. This oversight allows attackers to request oversized memory mappings without enforced boundaries, exposing large sections of physical memory, including kernel space.
Given that the Android kernel is loaded at a predictable physical address on Pixel devices, attackers can directly locate and overwrite critical kernel structures, effectively granting arbitrary read and write access to kernel memory. Researchers noted that achieving full kernel compromise required minimal code, making this vulnerability unusually easy to exploit compared to typical kernel bugs.
Potential Real-World Impact
By combining the Dolby zero-click vulnerability with the VPU driver flaw, attackers can:
– Execute code remotely without user interaction.
– Escalate privileges to root level.
– Take complete control of the device.
In a real-world scenario, a malicious media file could trigger the initial exploit, followed by kernel manipulation to disable security controls or install persistent malware.
Patch and Mitigations
The vulnerability was reported on November 24, 2025, and classified as High severity. Google addressed the issue within 71 days, releasing patches in the February 2026 Android security update, marking a notable improvement in response time compared to past driver vulnerabilities.
Despite faster remediation, the findings highlight ongoing weaknesses in Android driver development. Notably, the VPU driver was introduced without comprehensive security audits, underscoring the need for more rigorous testing and validation processes in the development of low-level system components.
Recommendations for Users
To protect against potential exploitation, users are strongly advised to:
– Ensure their devices are updated with the latest security patches.
– Be cautious when receiving unsolicited media files, even from known contacts.
– Regularly review app permissions and device settings to minimize exposure to potential vulnerabilities.
This incident serves as a stark reminder of the evolving nature of cyber threats and the importance of proactive security measures in safeguarding personal devices.
