How the Pixel 10 Zero‑Click Exploit Worked — and How to Protect Your Phone

# How the Pixel 10 Zero‑Click Exploit Worked — and How to Protect Your Phone

A zero‑click exploit chain disclosed by Google Project Zero in May 2026 showed how an attacker could go from a remote bug in a widely deployed Dolby media decoder to full root and kernel control on unpatched Pixel 10 phones—without the victim tapping anything. The chain started with remote code execution (RCE) in Dolby Media Framework UDC (CVE‑2025‑54957) and finished by exploiting a Pixel 10–specific VPU kernel driver flaw that allowed attackers to map and overwrite kernel memory on devices running SPL December 2025 or earlier.

What happened in the Pixel 10 zero‑click exploit?

Project Zero researchers Seth Jenkins and Jann Horn published “A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens,” demonstrating a complete end‑to‑end attack path:

• Entry point: a crafted audio payload triggers RCE inside the Dolby universal decoder (CVE‑2025‑54957).
• Escalation: code running in the media decoding context pivots to a local kernel bug in the Pixel 10’s Chips&Media WAVE677DV VPU driver exposed at /dev/vpu.
• Outcome: on vulnerable builds, the attacker can reach persistent kernel control and root, with no user interaction.

The key idea is that a “universal” media bug can be reused across many devices, then paired with a device‑specific privilege escalation to finish the job.

The technical chain, step by step

Step 1 — Media codec RCE (Dolby UDC / CVE‑2025‑54957)

The chain begins with CVE‑2025‑54957, a vulnerability in Dolby Media Framework UDC that allows remote code execution via crafted audio input. Project Zero had previously used this Dolby bug as an entry point in its earlier Pixel 9 work, and noted that it affected many Android devices until it was patched in January 2026.

Step 2 — From codec compromise to local exploit surface

Even after compromising the decoder, the attacker initially lives inside a restricted mediacodec context (i.e., not “root” yet). But that environment still has access to certain system interfaces—including device nodes available to that context—creating a bridge from “media parsing” to “kernel‑adjacent” attack surface.

Step 3 — VPU driver vulnerability at /dev/vpu

For the Pixel 10, Project Zero identified a new escalation path: the VPU kernel driver for Chips&Media WAVE677DV, reachable as /dev/vpu (and notably accessible in the mediacodec SELinux context per the brief).

The driver used remap_pfn_range in a way that lacked proper bounds checking. The practical consequence, as Project Zero described, was that an attacker could map device MMIO in an unsafe way and—critically—could effectively map arbitrary physical memory, including kernel memory, into userspace.

Step 4 — Kernel takeover (write into kernel .text and data)

Once arbitrary kernel memory can be mapped and written, the exploit becomes much more straightforward: the attacker can write into kernel .text and data and convert that into kernel code execution. From there, the chain yields what defenders fear most: root with persistent kernel‑level control.

What changed from Pixel 9—and why Pixel 10 needed a new approach

This Pixel 10 chain “rhymes” with Project Zero’s earlier Pixel 9 work (the Dolby decoder bug remained the reusable remote foothold), but two key changes forced a redesign of the later stages.

The Dolby port was mostly offset work

Project Zero’s write‑up emphasizes that porting the Dolby stage to Pixel 10 was largely about updating offsets for the specific library version: “The majority of needed changes involved updating offsets…” for Pixel 10 versus Pixel 9. In other words, the entry exploit was adaptable, but not drop‑in.

Pixel 10 added RET PAC, breaking a prior technique

Pixel 10 also introduced RET Pointer Authentication (RET PAC) “in place of -fstack-protector,” which meant a prior Pixel 9 trick—overwriting __stack_chk_fail—was no longer available: “__stack_chk_fail wasn’t available to be overwritten by code.”

Project Zero instead used a different overwrite target: dap_cpdp_init, described as initialization code “called once when the decoder is initialized and never again,” making it a safer one‑time hook point.

The local escalation stage changed: no BigWave, so VPU filled the gap

The Pixel 9 chain used a BigWave driver bug for local privilege escalation. But BigWave doesn’t ship on Pixel 10, so Project Zero had to find a new, Pixel 10–relevant escalation bug. That became the VPU driver flaw at /dev/vpu.

For a broader discussion of how agentic tooling and automation are changing security workflows (including exploit development and defensive triage), see our recent internal brief: LLM automation reshapes red teamers, memory tricks, and agent tooling.

Why the VPU issue is particularly dangerous

The standout risk here isn’t just “a bug in a driver”—it’s the nature of the primitive it provides.

• Mapping arbitrary physical frames (due to missing bounds enforcement around what should be a constrained MMIO region) collapses many layers of defense.
• It enables direct writes into kernel memory from a compromised but non‑privileged context.
• It illustrates an uncomfortable pattern: even if a remote entry point is common (Dolby), the “finishing move” can be model‑specific (a particular phone’s driver stack), enabling highly targeted chains.

This is exactly why defenders often struggle with “patched in general” vs “patched on this SKU with this firmware.”

Why It Matters Now

Project Zero published the analysis and proof‑of‑concept details in May 2026, but the risk window is shaped by patch reality:

• The Dolby CVE (CVE‑2025‑54957) was patched in January 2026, yet Pixel 10 devices on SPL December 2025 or earlier remain vulnerable to the demonstrated chain.
• The disclosure reinforces a recurring, high‑impact recipe: a broadly deployed media bug as a reusable zero‑click entry point, paired with a device‑specific kernel driver weakness to get to root.
• For organizations, unpatched phones in sensitive roles remain attractive targets for espionage or persistent compromise, precisely because zero‑click delivery reduces reliance on user mistakes.

What you can do right now (practical mitigations)

1. Install updates immediately. Apply Android security and firmware updates that include the January 2026 Dolby patch and later fixes.
2. Check your SPL/firmware. If your Pixel 10 shows SPL December 2025 or earlier, treat it as high priority to update.
3. Reduce media ingestion risk until patched. The entry is a crafted audio payload; avoiding unknown media and disabling automatic media downloads in messaging apps can reduce exposure while you get fully updated.
4. Enterprise controls (admins): Use MDM to enforce OS updates and reduce unnecessary access from media contexts to risky device nodes where possible.
5. Layered detection: Even with zero‑click chains, device attestation and behavioral monitoring can help detect post‑exploitation activity.

Admins who are also preparing for mobile ecosystem policy shifts may want to track adjacent platform hardening moves; see: Will Android Block Apps Not Registered and Signed with Google—and What Can You Do?.

What vendors and admins should do

Project Zero’s chain also reads like a checklist for systemic hardening:

• Harden media codecs and treat widely deployed decoders as high‑risk inputs.
• Audit kernel drivers that expose device MMIO or use remap_pfn_range—and add strict bounds checks to ensure mappings can’t escape intended regions.
• Constrain device node access from media‑adjacent SELinux contexts where feasible.
• Backport and communicate clearly: publish which SPL/firmware versions are safe, and ship fixes quickly across affected SKUs.

What to Watch

• Google and carrier advisories that explicitly confirm patches affecting the Pixel 10 VPU driver path.
• Project Zero issue tracker updates and follow‑up materials (attachments, PoC refinements, and vendor responses).
• Similar exploit patterns on other Android devices: a common media decoder foothold paired with a “weird” device‑specific driver mapping flaw.

---

Sources: projectzero.google ; byteiota.com ; cybersecuritynews.com ; gbhackers.com ; forbes.com ; imdb.com