Pixel 10 Zero-Click Exploit Chain: A Deep Dive into Android Security Vulnerabilities
A recent discovery has unveiled a powerful zero-click exploit chain affecting the Pixel 10, demonstrating how a remote Dolby decoding bug can escalate to full kernel control through a vulnerable video processing driver. This development raises significant concerns regarding Android’s security model, emphasizing the critical need for robust safeguards against such vulnerabilities.
Background of the Exploit Chain
The exploit chain begins with a previously known vulnerability called the Dolby Unified Decoder (CVE-2025-54957), which had already impacted the Pixel 9 along with other Android devices. This particular bug, patched in the January 2026 Android update, permitted remote code execution triggered by a maliciously crafted Dolby Digital Plus (DD+) audio stream. Essentially, this flaw transformed audio attachments and voice messages into a potential attack surface that could be exploited without any user interaction—a scenario referred to as a "zero-click" attack.
For the Pixel 10, Seth Jenkins from Google’s Project Zero team refined the existing exploit by recalibrating offsets in response to updates in the Dolby library. A notable challenge arose from the transition to using Return Address Pointer Authentication (RET PAC), which replaced the previous stack-protection methods. This change removed the capability to simply overwrite the __stack_chk_fail and demanded a more sophisticated approach to regain code execution.
The Updated Dolby UDC Exploit
The updated Dolby UDC exploit for Pixel 10 targets an initialization function known as dap_cpdp_init. This function executes only once and can be safely overwritten without interfering with normal operations after it completes. Importantly, the revised exploit is applicable only to devices that have not yet received the latest patches introduced in December 2025 and January 2026.
While the Pixel 9 exploit relied on a bug in the BigWave AV1 driver to escalate local privileges to the kernel, the Pixel 10 does not come equipped with the BigWave driver. Instead, it features a new /dev/vpu driver that interacts with the Chips&Media Wave677DV video processing block for hardware video decoding. Given that the same development team previously responsible for BigWave maintains this new driver, it became a prime target for further examination.
Discovering the VPU Vulnerability
In a rapid review spanning merely two hours, Jenkins and his colleague Jann Horn identified a serious vulnerability within the VPU’s mmap handler. This flaw effectively exposes arbitrary physical memory to the user space. The vulnerability lies in a simplified vpu_mmap implementation, which maps a physical region beginning at the VPU registers into a user-defined virtual memory area without adequately verifying that the requested size remains within safe limits. As a result, attackers could exploit the mmap function to access arbitrary physical memory, including the kernel image itself.
This particular vulnerability is amplified by the static physical memory address of the kernel on Pixel devices. Attackers can accurately pinpoint where to read from and write to without having to employ complex techniques such as Kernel Address Space Layout Randomization (KASLR) brute-forcing or scanning.
Project Zero reported that constructing an arbitrary kernel read-write primitive took a mere five lines of code, which enabled completion of a full exploit in less than a day. On November 24, 2025, Jenkins formally reported this critical VPU bug, which was subsequently classified as "High" severity by Android’s Vulnerability Reporting Process (VRP)—an improvement compared to a similar issue with the BigWave driver that received only a "Moderate" rating despite having identical implications.
The Response from Google
Google swiftly responded to the reported vulnerability, issuing a fix just 71 days later in the February Pixel security bulletin. This marked a significant milestone, as it was the first instance where an Android driver bug reported by Jenkins had been addressed in under 90 days. The quick turnaround time signifies an improvement in Android’s triage and patching processes concerning serious driver vulnerabilities.
Conclusion: The Implications for Android Security
This case highlights two critical trends within the realm of Android security. While there has undoubtedly been a marked improvement in the rapid response to severe driver vulnerabilities, the existence of easily exploitable flaws in vendor-maintained kernel code poses a persistent threat.
Project Zero stresses the importance of adopting systematic secure coding practices, proactive driver audits, and stronger development protocols if Original Equipment Manufacturers (OEMs) are to successfully thwart these types of zero-click exploit chains before they reach end users. As evidenced by this incident, the evolving landscape of cybersecurity challenges necessitates a vigilant, proactive approach to safeguarding digital assets and user data.