Skip to content
.ca
sign in
4 mincritical

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens

Project Zero researchers developed a 0-click exploit chain for the Google Pixel 10 by chaining a known Dolby vulnerability (CVE-2025-54957) with a newly discovered, trivial local privilege escalation flaw in the device's VPU driver. The VPU vulnerability allowed unbounded physical memory mapping via the mmap syscall, granting arbitrary read/write access to the kernel image and enabling full device compromise.

Conf:highAnalyzed:2026-05-13Google

Authors: Project Zero

LinuxLPEVulnerability DisclosureAndroidPrivilege EscalationPixel 100-clickCVE-2025-54957VPU Driver

Source:Projectzero

IOCs · 1
  • cve
    CVE-2025-54957Dolby UDC 0-click vulnerability utilized as the initial execution vector in the Pixel 10 exploit chain.

Detection / HunterGoogle

What Happened

Security researchers at Google's Project Zero demonstrated a 'zero-click' attack against the Google Pixel 10 smartphone. By combining a previously known media processing bug with a newly discovered flaw in the phone's video processing chip, they were able to take complete control of the device without any user interaction. This highlights the ongoing need for rigorous security testing in device drivers. Users should ensure their Pixel devices are updated to the February 2026 security patch or later to protect against this vulnerability.

Key Takeaways

  • Researchers successfully ported a 0-click exploit chain to the Pixel 10 by combining an updated Dolby vulnerability (CVE-2025-54957) with a new VPU driver flaw.
  • The Pixel 10 VPU driver (/dev/vpu) contained a trivial unbounded mmap vulnerability allowing arbitrary physical memory access.
  • Exploitation of the VPU bug is highly reliable because the kernel resides at a fixed physical address on Pixel devices.
  • The VPU vulnerability was patched in the February 2026 Pixel security bulletin, 71 days after being reported.

Affected Systems

  • Google Pixel 10 (unpatched, SPL December 2025 or earlier)
  • Android

Vulnerabilities (CVEs)

  • CVE-2025-54957

Attack Chain

The attack initiates via a 0-click vector exploiting CVE-2025-54957 in the Dolby UDC library, bypassing RET PAC by overwriting the dap_cpdp_init initialization function. Once initial code execution is achieved, the exploit targets the /dev/vpu driver for the Chips&Media Wave677DV silicon. By issuing an mmap syscall with a size larger than the VPU register region, the attacker exploits an unbounded remap_pfn_range call to map the kernel's physical memory into userspace. This grants arbitrary kernel read/write capabilities, leading to full root privilege escalation.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — Mobile device exploitation (Android) typically lacks the deep EDR telemetry available on traditional endpoints, especially for kernel-level driver exploitation. Network Visibility: None — The exploit chain operates entirely locally on the device via media parsing and local driver interaction. Detection Difficulty: Hard — Detecting 0-click media parsing exploits and kernel memory mapping abuse requires deep system-level telemetry that is rarely exposed or monitored on mobile devices.

Required Log Sources

  • Android logcat
  • Kernel audit logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous or excessively large memory mapping requests originating from untrusted applications targeting the /dev/vpu device node.Kernel audit logs, syscall monitoringPrivilege EscalationLow

Control Gaps

  • Lack of bounds checking in VPU driver mmap handler
  • Fixed physical kernel address on Pixel devices facilitating reliable exploitation

Key Behavioral Indicators

  • Unexpected processes interacting with /dev/vpu
  • Overwriting of dap_cpdp_init during Dolby UDC initialization

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Ensure all corporate-managed Google Pixel devices are updated to the February 2026 Android Security Bulletin or later.

Infrastructure Hardening

  • Evaluate Mobile Device Management (MDM) policies to enforce minimum OS version requirements for device access to corporate resources.

User Protection

  • Consider implementing mobile threat defense (MTD) solutions to monitor for signs of device compromise or rooting.

Security Awareness

  • Educate users on the importance of applying mobile device updates promptly, especially to protect against zero-click vulnerabilities.

MITRE ATT&CK Mapping

  • T1203 - Exploitation for Client Execution
  • T1068 - Exploitation for Privilege Escalation

Related