Google Project Zero researchers developed a 0-click exploit chain for the Pixel 10, building on their earlier Pixel 9 work. The chain starts with an updated Dolby UDC exploit (CVE-2025-54957) and replaces the Pixel 9's BigWave driver privilege escalation with a new VPU driver vulnerability found in the Tensor G5 chip. The VPU bug is a trivially exploitable mmap handler that allows userspace to map arbitrary physical memory — including the entire kernel image — due to missing bounds checking in remap_pfn_range. Combined with the kernel always residing at a known physical address on Pixel devices, achieving arbitrary kernel read-write required only 5 lines of code. The bug was reported November 2025, rated High severity, and patched within 71 days — a notable improvement over previous Android driver vulnerability handling. The post concludes with a call for more proactive security auditing of Android drivers.
Table of contents
Updating the Dolby ExploitRemoval of BigWave, Addition of VPUThe Holy Grail of Kernel VulnerabilitiesPatch ProcessConclusionSort: