Project Zero adapted its Dolby 0‑click root exploit for the Pixel 10, updated the user‑space decoder payload, and discovered a separate VPU driver flaw that lets an attacker map arbitrary physical memory, effectively providing kernel read/write. The chain works only on devices that have not received the December 2025 SPL patch, and the VPU bug was patched 71 days after disclosure.
Pixel 10 zero‑click exploit chain: new VPU bug replaces BigWave LPE
What was claimed
Project Zero announced that the two‑step, zero‑click to root chain demonstrated on the Pixel 9 could be reproduced on the Pixel 10. The claim rested on two pieces: a revised Dolby 0‑click payload that survives the Pixel 10’s switch from -fstack-protector to RET‑PAC, and a fresh local‑privilege‑escalation (LPE) primitive because the older BigWave driver is absent on the newer handset.
What is actually new
1. Updated Dolby 0‑click payload (CVE‑2025‑54957)
- Change of target library – Offsets that were hard‑coded for the Pixel 9’s
libmedia.sowere recomputed for the Pixel 10 build. The rest of the exploit logic – a heap‑spray of crafted sync‑frames that trigger a use‑after‑free in the Dolby decoder – remains unchanged. - Bypassing stack‑canary removal – The Pixel 10 replaces the classic
__stack_chk_failoverwrite with Pointer‑Authentication‑Code (PAC) on return addresses. The researchers found that the decoder’sdap_cpdp_initroutine is called exactly once during initialization and never again, making it a safe overwrite target. Overwriting a function pointer inside that routine lets the attacker gain code execution inside the privilegedmediaprocess. - Availability – The revised exploit is published as a patch‑level‑specific binary on the Project Zero GitHub repository. It only works on devices running the SPL from December 2025 or earlier; any later security patch disables the underlying use‑after‑free.
2. New kernel LPE via the VPU driver
- Driver context – The Pixel 10 ships a
/dev/vpucharacter device that talks directly to the Chips&Media Wave677DV accelerator. Unlike the older BigWave driver, this VPU driver does not go through the V4L2 subsystem; it maps the hardware’s MMIO registers into user space viammap. - Vulnerability details – The
vpu_mmaphandler builds avm_area_structand callsremap_pfn_rangewith the PFN derived from the device’s physical address. Crucially, the length argument is taken from the user‑supplied VMA size without any upper bound check. An attacker can request a mapping that spans far beyond the register region, pulling in any physical memory that follows it – including the entire kernel image, which resides at a fixed offset on Pixel silicon. - Exploit simplicity – With a single
mmapcall specifying a large size, the attacker obtains a direct read/write window onto kernel text and data. Overwriting a known function pointer (e.g.,init_task) yields kernel code execution, completing the zero‑click chain. The proof‑of‑concept is under ten lines of C and was written in less than a day. - Patch timeline – The bug (CVE‑2025‑XXXXX) was reported on 24 Nov 2025, classified as High severity, and patched in the February 2026 security bulletin – 71 days later. This is the first instance of a Project Zero Android driver bug being fixed within the 90‑day window.
Limitations and open questions
- Device coverage – Both stages of the chain require an unpatched SPL. Any device that received the December 2025 update (or later) is immune to the Dolby 0‑click part, and the VPU mapping bug is also fixed in the February 2026 patch. Consequently, the attack surface is shrinking as updates roll out.
- Reliance on deterministic physical layout – The VPU exploit assumes the kernel’s physical base address is constant across Pixel 10 units. While this holds for the reference implementation, a vendor‑specific memory randomisation could invalidate the hard‑coded offset and require a discovery step.
- Potential mitigations – Enabling Kernel Page‑Table Isolation (KPTI) and stricter
vm.mmap_min_addrsettings would raise the bar for arbitrary physical mapping, but the driver still violates the fundamental contract ofmmapand therefore remains exploitable in the absence of a patch. - Future driver audit – The VPU driver was written by the same team that produced the now‑removed BigWave driver. The quick discovery suggests that a systematic review of all media‑related drivers could uncover additional low‑effort bugs.
Takeaways for the Android security community
- Positive sign in triage – The faster severity rating and quicker patch window indicate that Android’s vulnerability‑response process is improving, at least for driver‑related issues.
- Persistent need for defensive coding – The VPU bug is a textbook example of forgetting to validate user‑supplied lengths in a kernel interface. Simple static analysis tools could flag such patterns, and code‑review guidelines should enforce bounds checks on all
mmap‑style entry points. - Zero‑click chains remain viable – Even with the Dolby decoder patched, the underlying approach—crafting a malicious media payload that triggers a kernel‑space fault without user interaction—continues to be a realistic threat vector on legacy devices.
Project Zero’s full exploit source and the VPU driver analysis are available in the public repository linked from the blog post.
Comments
Please log in or register to join the discussion