Google Project Zero researchers have uncovered a zero-click exploit chain affecting Google Pixel 10 devices, allowing attackers to remotely compromise devices and escalate privileges to root without user interaction. This discovery raises significant concerns about the security of Android’s low-level components.
The attack builds upon previous research targeting Pixel 9 devices, where a vulnerability in the Dolby Media Framework (CVE-2025-54957) enabled remote code execution. For the Pixel 10, researchers adapted this entry point with minimal modifications, primarily adjusting memory offsets for the updated Dolby library. The introduction of Return Address Pointer Authentication (RET PAC) in Pixel 10 added complexity, as traditional stack protection mechanisms were replaced. To circumvent this, researchers identified the dap_cpdp_init function as a suitable target for exploitation without destabilizing the system.
New Privilege Escalation Path
While the initial exploit remained similar, the privilege escalation stage required a novel approach. The Pixel 10 no longer includes the vulnerable BigWave driver used in earlier attacks. Instead, researchers discovered a critical flaw in a newly introduced driver located at /dev/vpu, which interfaces with the Chips&Media Wave677DV video processing unit on Google’s Tensor G5 chip.
The vulnerability lies in the driver’s handling of memory mapping requests. Specifically, it fails to validate the size of memory being mapped when calling remap_pfn_range. This oversight allows attackers to request oversized memory mappings, exposing large sections of physical memory, including kernel space. Given that the Android kernel is loaded at a predictable physical address on Pixel devices, attackers can directly locate and overwrite critical kernel structures, effectively granting arbitrary read and write access to kernel memory.
Combining the Dolby zero-click vulnerability with the VPU driver flaw enables attackers to execute code remotely without user interaction, escalate privileges to root level, and take complete control of the device. In a real-world scenario, a malicious media file could trigger the initial exploit, followed by kernel manipulation to disable security controls or install persistent malware.
Patch and Mitigations
The vulnerability was reported on November 24, 2025, and classified as High severity. Google addressed the issue within 71 days, releasing patches in the February 2026 Android security update, marking a notable improvement in response time compared to past driver vulnerabilities.
Despite the prompt remediation, these findings highlight ongoing weaknesses in Android driver development. The ease with which researchers adapted previous exploits to newer devices underscores the need for more robust security practices in driver implementation. Users are strongly advised to apply the latest security updates promptly to protect their devices from such sophisticated attacks.
Source: Cyber Security News
