Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A newly disclosed zero-click exploit chain targeting Google Pixel 10 devices<\/a> has raised fresh concerns about Android\u2019s low-level security.<\/p>\n Google Project Zero researchers demonstrated how attackers could silently compromise a device and escalate privileges to root without any user interaction by chaining just two vulnerabilities.<\/p>\n The attack builds on earlier research targeting Pixel 9 devices, in which a Dolby Media Framework flaw (CVE-2025-54957)<\/a> enabled remote code execution.<\/p>\n For Pixel 10, researchers successfully adapted the same entry point with minimal effort. Most changes involved recalculating memory offsets for the updated Dolby library.<\/p>\n However, exploitation became slightly more complex due to the introduction of Return Address Pointer Authentication (RET PAC), which replaced traditional stack protection mechanisms.<\/p>\n Because the usual overwrite target (__stack_chk_fail) was no longer available, researchers identified an alternative function,\u00a0dap_cpdp_init, which could be safely hijacked without disrupting system stability.<\/p>\n This allowed the zero-click exploit<\/a> to remain effective on unpatched devices running security updates issued before December 2025.<\/p>\n While the initial exploit remained similar, the privilege escalation stage required a completely new approach.<\/p>\n The Pixel 10 no longer includes the vulnerable BigWave driver used in earlier attacks. Instead, researchers discovered a critical flaw in a newly introduced driver located at\u00a0\/dev\/vpu.<\/p>\n This driver interfaces with the Chips&Media Wave677DV video processing unit on Google\u2019s Tensor G5 chip.<\/p>\n During a brief audit, Project Zero researchers identified<\/a> a severe vulnerability in the driver\u2019s memory mapping functionality.<\/p>\n The flaw lies in how the driver handles\u00a0mmap\u00a0requests. Specifically, it fails to validate the size of memory being mapped when calling\u00a0remap_pfn_range.<\/p>\n Because the Android kernel<\/a> is loaded at a predictable physical address on Pixel devices, attackers can directly locate and overwrite critical kernel structures.<\/p>\n This effectively grants arbitrary read and write access to kernel memory.<\/p>\n Researchers noted that achieving full kernel compromise required just a few lines of code, making this vulnerability unusually easy to exploit compared to typical kernel bugs.<\/p>\n By combining the Dolby zero-click vulnerability with the VPU driver flaw, attackers can:<\/p>\n In a real-world scenario, a malicious media file<\/a> could trigger the initial exploit, followed by kernel manipulation to turn off security controls or install persistent malware.<\/p>\n The vulnerability was reported on November 24, 2025, and classified as High severity.<\/p>\n Google addressed the issue within 71 days, releasing patches in the February 2026 Android security update<\/a>, marking a notable improvement in response time compared to past driver vulnerabilities.<\/p>\n Despite faster remediation, the findings highlight ongoing weaknesses in Android driver<\/a> development.<\/p>\n Notably, the vulnerable VPU driver was developed by the same team responsible for the previously flawed BigWave driver, suggesting recurring gaps in secure coding and auditing practices.<\/p>\n Project Zero emphasized that while faster patching is a positive step, preventing such vulnerabilities from reaching production remains critical.<\/p>\n The research underscores a broader challenge: even minor flaws in hardware drivers can lead to full system compromise, reinforcing the need for stronger security reviews across the Android ecosystem.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNew Privilege Escalation Path<\/strong><\/h2>\n
\n
\n
Patch and Mitigations<\/strong><\/h2>\n