“`html
A recently revealed zero-click exploit sequence targeting Google Pixel 10 devices has sparked new worries regarding Android’s foundational security.
Researchers from Google Project Zero illustrated how adversaries could stealthily breach a device and elevate privileges to root without any user engagement by linking just two vulnerabilities.
The attack builds upon previous studies focused on Pixel 9 devices, where a Dolby Media Framework vulnerability (CVE-2025-54957) allowed for remote code execution.
For Pixel 10, the researchers adeptly modified the same entry point with minimal changes. Most adjustments involved recalibrating memory offsets for the enhanced Dolby library.
However, the exploitation became somewhat more intricate due to the implementation of Return Address Pointer Authentication (RET PAC), which replaced conventional stack protection methods.
Since the typical overwrite target (__stack_chk_fail) was no longer accessible, researchers pinpointed an alternate function, dap_cpdp_init, which could be securely hijacked without compromising system stability.
This enabled the zero-click exploit to persist on unpatched devices executing security updates released prior to December 2025.
New Privilege Escalation Route
While the initial exploit remained alike, the privilege escalation phase necessitated an entirely novel method.
The Pixel 10 no longer contains the susceptible BigWave driver utilized in earlier assaults. Instead, researchers uncovered a critical vulnerability in a newly integrated driver located at /dev/vpu.
This driver interacts with the Chips&Media Wave677DV video processing unit on Google’s Tensor G5 chip.
During a short audit, Project Zero researchers detected a serious flaw in the driver’s memory mapping capacities.
The issue arises in how the driver processes mmap requests. Specifically, it neglects to verify the size of memory being mapped when invoking remap_pfn_range.
- Attackers are capable of requesting oversized memory mappings.
- The driver fails to enforce limits on mapped regions.
- This exposes extensive sections of physical memory, encompassing kernel space.
Since the Android kernel is loaded at a known physical address on Pixel devices, attackers can directly identify and modify critical kernel structures.
This effectively provides unrestricted read and write access to kernel memory.
Researchers pointed out that achieving total kernel compromise required merely a few lines of code, rendering this vulnerability remarkably easy to exploit when compared to standard kernel flaws.
By integrating the Dolby zero-click vulnerability with the VPU driver flaw, adversaries can:
- Execute code remotely without user involvement.
- Elevate privileges to root level.
- Gain complete authority over the device.
In a practical scenario, a malicious media file could activate the initial exploit, followed by kernel manipulation to disable security features or deploy persistent malware.
Patch and Mitigations
The vulnerability was reported on November 24, 2025, and categorized as High severity.
Google resolved the issue within 71 days, deploying patches in the February 2026 Android security update, signifying a considerable enhancement in response time compared to previous driver vulnerabilities.
Despite quicker remediation, the findings emphasize persistent deficiencies in Android driver development.
Importantly, the susceptible VPU driver was created by the same team accountable for the earlier flawed BigWave driver, indicating recurring gaps in secure coding and auditing practices.
Project Zero underscored that while expedited patching is a constructive measure, stopping such vulnerabilities from progressing to production remains crucial.
The research highlights a wider challenge: even small defects in hardware drivers can result in comprehensive system compromise, reinforcing the necessity for more robust security evaluations across the Android ecosystem.
“`