Researchers Disclose Critical 0-Click Exploit Chain for Google Pixel 10, Exposing Kernel Memory
Key Takeaways
- ▸A complete 0-click exploit chain exists for Pixel 10 requiring no user interaction, combining a Dolby vulnerability and a VPU driver flaw
- ▸The VPU driver has a critical design vulnerability: it maps physical memory to userspace without validating the requested region size
- ▸Attackers can map arbitrary kernel memory and directly modify kernel code, achieving full system compromise
Summary
Security researchers have published a complete 0-click exploit chain for the Google Pixel 10 that achieves root access without any user interaction. The attack chains together two vulnerabilities: an updated Dolby audio exploit (CVE-2025-54957) and a newly discovered critical flaw in the Pixel 10's VPU (Video Processing Unit) driver used for hardware-accelerated video decoding on the Tensor G5 chip.
The Dolby vulnerability was ported from an earlier Pixel 9 exploit by updating memory offsets and adapting to the Pixel 10's RET PAC stack protection mechanism. However, the more severe issue is in the VPU driver itself, which improperly exposes the hardware's memory-mapped I/O (MMIO) registers directly to userspace. The researchers, working with Jann Horn, discovered that the driver's memory mapping function fails to validate the requested memory region size, allowing attackers to map arbitrary physical memory—including the entire kernel image—into their address space.
Once kernel memory is accessible, attackers can trivially overwrite kernel functions to achieve code execution, described by researchers as "the holy grail of kernel vulnerabilities." The exploit chain works on devices with Security Patch Level (SPL) dated December 2025 or earlier. This disclosure underscores a fundamental design flaw in Google's hardware abstraction strategy.
- Devices with SPL December 2025 or earlier are vulnerable; the Dolby CVE was patched in January 2026
- The research was conducted in collaboration with Jann Horn and represents a 2-hour audit of the VPU driver
Editorial Opinion
This vulnerability exposes a critical design philosophy failure at Google: exposing raw hardware interfaces directly to userspace without proper abstraction layers and validation. While hardware acceleration is essential for performance, the VPU driver's decision to map device memory without bounds checking represents a catastrophic kernel security oversight. The fact that such a fundamental flaw persisted in a shipping product highlights how even major technology companies can introduce severe vulnerabilities through improper driver design. This disclosure should prompt a comprehensive security audit of similar hardware abstraction drivers across Android devices.
