Google Project Zero: 0-Click Exploit Chain for Pixel 10 — From Dolby Decoder to Full Kernel Root

Google's Project Zero team has published a detailed technical write-up of a complete 0-click exploit chain targeting the Pixel 10 — Google's latest flagship phone running on the Tensor G5 chip. The chain demonstrates that an attacker can go from zero user interaction to full kernel code execution by chaining two vulnerabilities: one in the Dolby audio decoder and another in the Video Processing Unit (VPU) driver.

This research builds on Project Zero's earlier Pixel 9 exploit chain, which achieved the same goal using the Dolby bug paired with a different privilege escalation via the BigWave driver. With BigWave absent on Pixel 10, the team found something even more dangerous hiding in the VPU driver.

The Entry Point: Dolby Decoder (CVE-2025-54957)

The first link in the chain is CVE-2025-54957, a vulnerability in the Dolby audio decoder that exists across all Android devices. This was the same bug used in the Pixel 9 chain, patched in January 2026. For the Pixel 10 exploit, the team updated the exploit for the new device — mostly by adjusting offsets for the library version shipped on Pixel 10.

The main challenge was that Pixel 10 uses RET PAC (Pointer Authentication Code with return signing) instead of the traditional -fstack-protector. This meant __stack_chk_fail couldn't be overwritten as a code target. The workaround: overwriting dap_cpdp_init — initialization code that runs once during decoder setup and never again, making it safe to clobber.

This exploit gives the attacker code execution within the mediacodec process — still confined by SELinux and lacking root access. The real magic happens in the next stage.

The Holy Grail: VPU Driver Vulnerability

When porting the exploit chain to Pixel 10, Project Zero discovered that the BigWave driver used for privilege escalation on Pixel 9 doesn't ship on Pixel 10. However, a new driver appeared at /dev/vpu in the mediacodec SELinux context.

This driver controls the Chips&Media Wave677DV video processing silicon on the Tensor G5 chip. Developed by the same team that built BigWave, it accelerates video decoding. Project Zero spent just 2 hours auditing the driver before finding what they describe as an exceptional vulnerability.

Unlike the upstream Linux driver for the older WAVE521C chip (which integrates with V4L2, the standard Video for Linux API), the Pixel's WAVE677DV driver directly exposes the chip's hardware interface to userspace, including letting userspace map the chip's MMIO register interface.

The Bug: Unbounded mmap

The vulnerability is breathtakingly simple. Here's the vulnerable vpu_mmap function:

static int vpu_mmap(struct file *fp, struct vm_area_struct *vm)
{
    unsigned long pfn;
    struct vpu_core *core =
        container_of(fp->f_inode->i_cdev, struct vpu_core, cdev);

    vm_flags_set(vm, VM_IO | VM_DONTEXPAND | VM_DONTDUMP);
    vm->vm_page_prot = pgprot_device(vm->vm_page_prot);
    pfn = core->paddr >> PAGE_SHIFT;

    return remap_pfn_range(vm, vm->vm_start, pfn,
        vm->vm_end - vm->vm_start, vm->vm_page_prot)
        ? -EAGAIN : 0;
}

The problem: remap_pfn_range is called based on the size of the VMA (Virtual Memory Area), not bounded to the actual size of the VPU register region. By specifying a size larger than the register region in an mmap syscall, an attacker can map as much physical memory as they want into userspace, starting from the physical address of the VPU register region.

Since the kernel image (including .text and .data) sits at a higher physical address than the VPU register region, the attacker can read and modify the entire kernel. And because the kernel is always at the same physical address on Pixel (defeating KASLR by design), the offset from VPU to kernel is a known constant — no scanning needed.

5 Lines of Code, Full Kernel Access

With this bug, achieving arbitrary kernel read-write required just 5 lines of code. A full working exploit took less than a day to develop. The attacker can overwrite any kernel function to gain code execution — or any other primitive they desire.

This is as close to a "game over" vulnerability as you can get in kernel security.

The Patch: 71 Days — A Record for Android

Project Zero reported the VPU vulnerability on November 24, 2025. Android VRP rated it High severity — an improvement over the BigWave bug from the Pixel 9 chain, which was initially rated as Moderate despite identical security impact.

The vulnerability was patched in the February 2026 Pixel security bulletin, just 71 days after the initial report. This is the fastest an Android driver vulnerability reported by Project Zero has ever been remediated — a notable milestone given that previous similar bugs routinely exceeded the 90-day disclosure deadline.

What This Means for Android Security

This research highlights both progress and persistent problems in Android's driver security:

The Good

• Faster triage: Android's security team is taking driver vulnerabilities more seriously, rating and patching them faster
• RET PAC adoption: Pixel 10's use of pointer authentication shows hardware security features are maturing
• Responsible disclosure working: 71-day patch turnaround is a meaningful improvement

The Bad

• Shallow bugs persist: The VPU driver vulnerability was "instantly noticeable with even a cursual audit" — yet it shipped on production hardware
• No learning from BigWave: Despite Project Zero's Pixel 9 research exposing BigWave's issues, the same development team shipped a VPU driver with an equally trivial bug 5 months later
• Direct hardware exposure: Bypassing V4L2 and directly exposing MMIO to userspace is a fundamentally risky architecture choice
• KASLR defeat by design: The kernel's fixed physical address on Pixel eliminates an entire layer of defense

Practical Takeaways

For Pixel Users

• Update to the February 2026 security patch or later — this vulnerability is fully patched
• This exploit required physical access to the device's attack surface (processing a malicious audio file), so the risk is real but requires a targeted attack
• Pixel's monthly security updates are critical — don't skip them

For Android Driver Developers

• Use V4L2 — don't bypass the standard video API to directly expose hardware to userspace
• Bound mmap ranges — always validate that the requested mapping size doesn't exceed the actual hardware register region
• Audit sibling drivers — when one driver from a team has security issues, all their drivers deserve scrutiny
• Don't ship custom mmap handlers unless absolutely necessary — the V4L2 framework handles this safely

For Security Researchers

• Android drivers remain a rich attack surface — especially vendor-specific ones that bypass standard frameworks
• The mediacodec SELinux context is a high-value target: it has access to multiple vendor drivers
• Cross-referencing open-source driver code with production binaries can reveal subtle differences that create vulnerabilities

The Bigger Picture

Project Zero's conclusion is measured but pointed: while Android's patch pipeline is improving, the quality of driver code remains a systemic concern. When the same team ships a trivially exploitable mmap bug 5 months after their previous driver was audited and patched, it suggests the problem isn't individual mistakes — it's development practices.

The Pixel 10 exploit chain is a masterclass in modern mobile exploitation: a zero-click entry through a media codec, pivoting to kernel access through a carelessly written driver, all achievable in under a day of work. It's also a reminder that the most dangerous vulnerabilities are often the simplest ones.

References

• Project Zero: A 0-click exploit chain for the Pixel 10
• Project Zero: Pixel 9 0-click exploit chain (Part 1)
• Project Zero: Defeating KASLR by doing nothing at all
• Hacker News discussion (366 points, 180 comments)

Disclosure: This article is based on Google Project Zero's public research. The vulnerabilities described have been patched in the February 2026 Pixel security bulletin.