Zero-click exploits cut through traditional user interaction defenses. "Don't click suspicious links," "don't open unknown attachments"—none of that matters when a device can be compromised just by receiving a crafted message or audio stream. This bypasses typical user-centric security models, raising critical questions about the automatic processing of untrusted data and the inherent vulnerabilities it can introduce. The Pixel 10 0-click exploit exemplifies this, demonstrating how a device can be compromised without any user interaction.
Google Project Zero (GPZ) recently detailed a full Pixel 10 0-click exploit chain, with details released on May 14, 2026. This isn't a theoretical exercise; it underscores the ongoing technical challenge of securing complex devices against sophisticated exploit chains, particularly those leveraging features designed for convenience. The discovery of such a critical vulnerability in a flagship device like the Pixel 10 highlights the constant cat-and-mouse game between device manufacturers and security researchers, where even the most robust security measures can be circumvented by determined attackers, as demonstrated by this Pixel 10 0-click exploit.
The Pixel 10 0-Click Exploit Problem: When Convenience Becomes a Liability
The concept of a 0-click exploit is particularly insidious because it removes the user from the attack vector entirely. Unlike phishing or malware that requires user interaction, a 0-click attack can compromise a device simply by receiving a specially crafted message, a malicious audio stream, or even a rogue Wi-Fi packet. For the Pixel 10, this meant that a user could have their device fully compromised without ever knowing, simply by being in range of an attacker or receiving a message they didn't even open. This level of stealth and invasiveness makes the Pixel 10 0-click exploit a significant concern for user privacy and data security.
The implications extend beyond just the immediate compromise. A successful 0-click exploit grants an attacker deep access, potentially allowing for data exfiltration, surveillance, or even the installation of persistent malware. This bypasses typical user-centric security models, raising critical questions about the automatic processing of untrusted data and the inherent vulnerabilities it can introduce. The fact that Google Project Zero, a team renowned for finding critical vulnerabilities, was able to chain together multiple flaws to achieve this level of compromise on the Pixel 10 underscores the complexity of modern device security.
How a Dolby Bug and a Kernel Flaw Opened the Pixel 10
This exploit chain is a two-stage operation, a classic example of chaining a remote code execution vulnerability with a local privilege escalation to achieve full root access on a Pixel 10 from zero interaction. This aligns with MITRE ATT&CK techniques for Initial Access (T1203: Exploitation for Client Execution) followed by Privilege Escalation (T1068: Exploitation for Privilege Escalation). Understanding these stages is crucial to grasping the full scope of the Pixel 10 0-click exploit.
The 0-click entry point comes via a vulnerability in the Dolby Unified Decoder (UDC), specifically CVE-2025-54957. This vulnerability isn't new; GPZ previously exploited it against the Pixel 9. Google patched it in January 2026. However, for the Pixel 10, researchers updated the offsets for a specific library version, demonstrating the adaptability required for exploit development across different device generations.
They also had to bypass Return Address Pointer Authentication (RET PAC), a security mitigation that replaces the older -fstack-protector. RET PAC is designed to prevent attackers from overwriting return addresses on the stack, a common technique for achieving arbitrary code execution. The researchers achieved this bypass by cleverly overwriting the dap_cpdp_init initialization code, effectively neutralizing a key security layer. This means if a Pixel 10 is running a Security Patch Level (SPL) of December 2025 or earlier, this 0-click still works, leaving a significant window of vulnerability for many users.
Achieving remote code execution was the first step; the second vulnerability provided the path to root access, completing the full Pixel 10 0-click exploit chain.
The VPU Driver: A New Path to Root
For the local privilege escalation, GPZ targeted the /dev/vpu driver on the Pixel 10. This driver replaced the BigWave driver used on the Pixel 9 and interacts with the Chips&Media Wave677DV silicon for video decoding acceleration. The shift to new hardware components often introduces new attack surfaces, as these drivers may not have undergone the same level of security scrutiny as older, more established components.
The vulnerability was in the vpu_mmap handler. This handler calls remap_pfn_range based on the Virtual Memory Area (VMA) size, but it wasn't properly bounded to the actual VPU register region size. This means an attacker can map arbitrary physical memory into userland, starting right at the VPU register region's physical address. This type of memory mapping vulnerability is extremely powerful, as it allows an attacker to read and write to sensitive kernel memory.
And because the kernel image's physical address (.text, .data regions) is known relative to the VPU memory, this bug provides an arbitrary kernel read-write primitive. The researchers stated it took them only five lines of code to achieve arbitrary read-write, and they developed the full LPE exploit in less than a day. This rapid development time underscores the severity and ease of exploitation once such a fundamental flaw is discovered. This critical flaw, combined with the Dolby UDC vulnerability, formed the basis of the devastating Pixel 10 0-click exploit.
GPZ reported this kernel vulnerability on November 24, 2025. Google patched it in the February Pixel security bulletin, 71 days after report for a high-severity bug. While 71 days is within industry standards for some vulnerabilities, for a 0-click to root exploit, this window represents a significant period of risk for users.
Architectural Trade-offs in Device Security
A 0-click to root exploit allows for complete device compromise, granting an attacker full control without user interaction. For anyone on a Pixel 10 with a December 2025 or older security patch, this was a live threat until the February 2026 update. This incident serves as a stark reminder that even with advanced security features, the complexity of modern smartphone architectures can introduce unforeseen weaknesses, as seen with the Pixel 10 0-click exploit.
This exploit chain underscores how automatic media processing, while convenient, significantly expands the attack surface. Features designed to enhance user experience, such as seamless audio and video decoding, often rely on complex parsers and drivers that become prime targets for attackers. The persistence of vulnerabilities in these complex parsers highlights the ongoing challenge of writing secure code for untrusted data, especially when performance and feature richness are also key design goals.
Beyond patching individual bugs, this incident highlights how new silicon integration and complex, less-audited kernel drivers, even with mitigations like RET PAC, continue to be prime targets for attackers seeking new exploit vectors. The rapid pace of hardware innovation means that new drivers and interfaces are constantly being introduced, each potentially carrying new security risks that require thorough auditing and testing.
Lessons and Implications for Device Security
While Google's patching efforts addressed the kernel bug within 71 days, the re-adaptation of an older 0-click vulnerability points to deeper, systemic challenges in device security. The fact that a vulnerability previously patched in the Pixel 9 could be adapted for the Pixel 10 suggests a need for more robust, cross-generational security reviews and perhaps a more proactive approach to identifying similar flaws in new hardware integrations, making the Pixel 10 0-click exploit a case study in persistent threats.
The Pixel 10 0-click exploit chain serves as a concrete example of how the pursuit of convenience, through features like automatic media processing and complex hardware integration, can inadvertently expand the attack surface. It underscores the critical need for rigorous security-by-design principles, particularly in less-audited components like kernel drivers, to prevent such zero-click compromises. Moving forward, manufacturers must prioritize security not just as an add-on, but as an integral part of the entire development lifecycle, from chip design to software implementation.
For users, the primary lesson is the importance of timely updates. While no system is perfectly secure, applying security patches as soon as they are available significantly reduces the window of vulnerability. The Pixel 10 incident reminds us that even without user interaction, devices can be at risk, making the role of security updates more critical than ever.
