A 0-click exploit chain for the Pixel 10
3 hours ago
- #Android Security
- #Kernel Exploit
- #Zero-Click Vulnerability
- Project Zero published an exploit chain for Google Pixel 9, achieving zero-click to root using two exploits, with a Dolby vulnerability patched in January 2026.
- The Pixel 10 exploit chain required updating offsets for CVE-2025-54957 and adapting to RET PAC, using dap_cpdp_init for exploitation.
- Pixel 10 lacked the BigWave driver but introduced a VPU driver; a 2-hour audit with Jann Horn revealed a critical vulnerability allowing unlimited physical memory mapping.
- The VPU driver's mmap handler uses remap_pfn_range without size bounds, enabling userspace to map kernel physical memory and modify kernel functions easily.
- The bug, reported on November 24, 2025, was rated High severity and patched in 71 days, showing improved triage and faster patch times in Android.
- While the handling of the VPU bug indicates progress in Android's security response, the discovery highlights ongoing driver security issues and the need for proactive code auditing.