Skip to content

Google Project Zero reveals 0-click exploit chain for Pixel 10

Google Project Zero · Story 2 of 7

Google's elite security research team, Project Zero, has published a detailed analysis of a zero-click exploit chain targeting the Google Pixel 10 smartphone, demonstrating that even the latest Android devices remain vulnerable to sophisticated attacks that require no user interaction whatsoever. The research, conducted by Project Zero researcher Seth Jenkins in collaboration with Jann Horn, reveals how an attacker could compromise a Pixel 10 device from zero-click context to root access using just two exploits chained together.

The first stage exploits a vulnerability in the Dolby audio decoder (CVE-2025-54957), which the team had previously demonstrated on the Pixel 9. Adapting it for the Pixel 10 required updating memory offsets and working around the device's use of RET PAC (Return Pointer Authentication Codes) instead of traditional stack canaries. The updated exploit bypasses these protections by overwriting initialization code rather than relying on the now-protected stack check failure handler.

The second stage is where things get particularly interesting. The Pixel 10 replaced the BigWave video driver from previous generations with a new VPU (Video Processing Unit) driver for the Chips&Media Wave677DV silicon on the Tensor G5 chip. The team spent just two hours auditing this new driver and discovered what they describe as an exceptionally simple-to-exploit vulnerability — the driver directly exposes the chip's MMIO register interface to userspace, allowing an attacker to map and write to arbitrary physical memory addresses.

The mmap handler in the VPU driver fails to properly validate the size of the mapping request, which means an attacker can map the entire physical memory of the device and gain root access. Project Zero described this as the «holy grail of kernel vulnerabilities» — a simple bug with catastrophic consequences.

Google has since patched these vulnerabilities, but the research serves as a stark reminder that complex hardware-software interfaces remain a fertile ground for exploitation. The Pixel 10's move to new video decoding hardware inadvertently introduced a simpler, more dangerous vulnerability than what it replaced. For the security community, this highlights the ongoing challenge of securing new hardware accelerators that are increasingly common in modern smartphones.

Analysis
Live

This is a textbook example of why new hardware introduces new attack surfaces. The Pixel 10's VPU driver was simpler than the BigWave it replaced, but that simplicity came with a catastrophic security flaw. For anyone building hardware-accelerated systems, this is a reminder that exposing hardware interfaces directly to userspace is almost always a bad idea.

Frequently Asked Questions
Is my Pixel 10 safe if I've installed recent updates?

Yes, if your Pixel 10 has a security patch level of January 2026 or later, you are protected. The Dolby vulnerability was patched in January, and the VPU driver issue has also been addressed. Check Settings > Security for your patch level.