Google Project Zero has published a full exploit chain targeting the Pixel 10, demonstrating a path from zero-click initial access to root on Android. The research builds on an earlier chain developed for the Pixel 9, updating components where necessary to account for hardware and software differences in the newer device.

Updating the Dolby Entry Point

The first link in the chain reuses CVE-2025-54957, a zero-click vulnerability in the Dolby audio decoder that affected Android broadly until it was patched in January 2026. Adapting the exploit for Pixel 10 was largely a matter of recalculating library offsets for the version of the Dolby UDC library shipped on the newer device. One notable difference: the Pixel 10 uses RET PAC in place of -fstack-protector, removing __stack_chk_fail as an overwrite target. Researchers substituted dap_cpdp_init, initialization code that runs once at decoder startup and can be overwritten without disrupting functionality. The updated exploit is only effective against devices running a Security Patch Level of December 2025 or earlier.

A New Privilege Escalation Path: The VPU Driver

The Pixel 9 chain relied on a vulnerability in the BigWave driver for local privilege escalation, but that driver does not ship on the Pixel 10. Project Zero identified a replacement target in the mediacodec SELinux context: /dev/vpu, a driver for the Chips&Media Wave677DV video decode accelerator present in the Tensor G5 chip. The driver shares authorship with the BigWave driver.

Working with Jann Horn, researchers spent approximately two hours auditing the VPU driver and found what they describe as an exceptionally simple vulnerability. Unlike the upstream Linux driver for a comparable Chips&Media chip, the Pixel driver bypasses the V4L2 API entirely, directly exposing the chip’s MMIO register interface to userspace.

The Vulnerability: Unbounded Physical Memory Mapping

The flaw resides in the driver’s mmap handler. When mapping the VPU’s MMIO register region into userspace, the handler calls remap_pfn_range based solely on the size of the requested virtual memory area, with no bounds check against the actual size of the hardware register region. A caller can therefore specify an arbitrarily large mapping, starting at the VPU’s physical address and extending through as much contiguous physical memory as desired.

Because the kernel image, including its .text and .data sections, resides at a higher physical address than the VPU region, and because the kernel is always loaded at a fixed physical address on Pixel devices, an attacker can calculate the exact offset to the kernel without scanning. The result is direct read-write access to kernel memory from userspace. Project Zero reports that achieving arbitrary kernel read-write required five lines of code and that a complete working exploit took less than one day to write.

Disclosure and Patch Timeline

The vulnerability was reported to Google on November 24, 2025. Android’s Vulnerability Rewards Program rated it High severity, a step up from the Moderate rating initially assigned to the functionally equivalent BigWave bug on the Pixel 9. Google patched the issue in the February 2026 Pixel security bulletin, 71 days after the initial report. Project Zero notes this is the first time an Android driver bug it reported was remediated within 90 days of vendor notification.

Takeaways

Project Zero draws a mixed conclusion from the research. On the positive side, Android’s triage and patch pipeline shows measurable improvement: a critical kernel driver bug was addressed significantly faster than comparable issues in the past. On the other hand, the ease with which a devastating kernel primitive was obtained from a newly introduced driver highlights a continuing gap in security review practices for Android’s driver codebase. The researchers express hope that surfacing these issues will encourage more rigorous security-aware development across the Android driver ecosystem.