A newly discovered zero-click exploit chain has emerged, targeting Google Pixel 10 devices and raising serious concerns about the security of Android’s foundational layers. This vulnerability allows attackers to silently take control of a device, elevating their privileges to root level without any user interaction.
Technical Insights into the Exploit
Researchers from Google’s Project Zero have uncovered how attackers can exploit two vulnerabilities in tandem to compromise devices. Initially, the exploit builds on previous research targeting Pixel 9 devices, specifically a flaw in the Dolby Media Framework (CVE-2025-54957) that permitted remote code execution.
Adapting this exploit to Pixel 10 required minimal changes, mainly recalibrating memory offsets to accommodate the updated Dolby library. However, the recent introduction of Return Address Pointer Authentication (RET PAC) has added complexity to the exploitation process. The traditional target, __stack_chk_fail, is no longer viable, leading researchers to redirect their efforts towards the dap_cpdp_init function, which could be exploited without destabilizing the system.
New Pathways for Privilege Escalation
While the entry exploit maintained similarities with its predecessor, privilege escalation on Pixel 10 demanded a novel approach. The absence of the previously vulnerable BigWave driver necessitated the discovery of a new flaw in the /dev/vpu driver, associated with the Chips&Media Wave677DV video processing unit on Google’s Tensor G5 chip.
Project Zero’s audit revealed a critical vulnerability in the driver’s memory mapping functionality. The vulnerability arises from inadequate validation of memory size during mmap requests, allowing attackers to request excessively large memory mappings and access extensive physical memory regions, including kernel space.
This flaw enables attackers to pinpoint and overwrite essential kernel structures, granting them arbitrary read and write access to kernel memory. Achieving full kernel compromise was notably straightforward, requiring minimal code and highlighting the severity of this vulnerability.
Implications and Mitigation Efforts
By integrating the Dolby exploit with the VPU driver flaw, attackers can execute code remotely, escalate privileges to root, and gain full control of the device. In practice, a malicious media file could activate the initial exploit, followed by kernel manipulation to disable security features or install persistent malware.
The vulnerability was reported on November 24, 2025, classified as high severity. Google responded by releasing patches within 71 days as part of the February 2026 Android security update, demonstrating an improvement in response time compared to previous vulnerabilities.
Despite the prompt patching, the incident underscores persistent weaknesses in Android driver development. The same team responsible for the flawed BigWave driver developed the vulnerable VPU driver, indicating recurring issues in secure coding practices. Project Zero emphasizes the need for robust security reviews to prevent such vulnerabilities from advancing to production.
This research highlights the broader challenge within the Android ecosystem: minor flaws in hardware drivers can result in total system compromise. Strengthening security measures across the board remains essential to safeguarding user devices and data.
