Zero Clicks to Root: Project Zero Weaponizes Pixel 10 Hardware via New Tensor G5 VPU Flaw

Google Project Zero has demonstrated a formidable exploit chain targeting the Pixel 10, wherein a total device compromise was achieved leveraging merely two vulnerabilities and requiring absolutely zero interaction from the user. Researchers adapted a previously documented flaw within a Dolby media decoder for the contemporary smartphone, subsequently pairing it with a nascent vulnerability discovered within the video processing unit (VPU) driver of the Tensor G5 system-on-chip. Consequently, engineered media content could trigger remote code execution, while the secondary flaw paved an unhindered path to root privileges.

The initial link in this adversarial chain is CVE-2025-54957, situated within the Dolby Unified Decoder. Project Zero had previously weaponized this specific defect during a forensic analysis of the Pixel 9. Because the Android operating system autonomously processes select audio architecture, voice messages, and media attachments, a meticulously crafted Dolby Digital Plus stream could execute without necessitating a click, file opening, or any corollary user action. While Dolby subsequently remediated this defect, the fix was integrated downstream into Android’s January 2026 security patch cycle.

For the Pixel 10 demonstration, the investigators were spared the necessity of re-architecting their initial ingress vector. The bulk of the engineering entailed recalibrating memory offsets within the updated Dolby library. However, the implementation of RET PAC (Return Address Cryptographic Protection)—which validates return addresses during code execution—introduced additional complexity. While the legacy Pixel 9 exploit relied on overwriting the __stack_chk_fail function, this traditional target was absent in the contemporary build. Following iterative experimentation, the team isolated an alternative vector: the dap_cpdp_init function, which is invoked exclusively during decoder initialization and subsequently ceases to obstruct routine process execution. This updated Dolby exploit remains effective solely on unpatched hardware maintaining a security patch level of December 2025 or earlier.

The subsequent phase necessitated the unearthing of a novel defect. While privilege escalation on the Pixel 9 was achieved by exploiting a vulnerable BigWave driver, this component has been excised from the Pixel 10 architecture. Instead, researchers directed their scrutiny toward a nascent device node, /dev/vpu, which facilitates interaction with the Chips&Media Wave677DV video processor embedded within the Tensor G5 chip. Utilizing comments embedded within the open-source code repositories, Project Zero established that this driver was engineered and sustained by the identical development collective previously responsible for BigWave.

A superficial code audit sufficed to reveal a severe vulnerability within the handling of mmap routines—a mechanism enabling a process to map a hardware device’s memory space directly into its own virtual address layout. The VPU driver was architected to restrict access exclusively to the register space of the video processor; however, it failed to validate the requested mapping dimensions during invocations of remap_pfn_range. Consequently, if a process requested an allocation exceeding the legitimate boundaries, the driver permitted the mapping of physical memory extending far past the VPU’s perimeter.

For an adversary, this architectural oversight yields direct, unvalidated access to expansive regions of physical memory, critically encompassing kernel space. On the Pixel platform, the Android kernel initializes at a highly predictable physical address, precluding the necessity for blind memory enumeration; a hacker merely requires the static offset relative to the VPU memory region. Project Zero emphasizes that arbitrary read and write capabilities within kernel memory were achieved utilizing a mere handful of lines of code, with a functional exploit fully realized in less than a single day.

The hybridization of these two flaws yields a seamless attack methodology:

• Initial Ingress: A precisely engineered media stream triggers arbitrary code execution via the Dolby decoder, completely bypassing user interaction.
• Privilege Escalation: The executed payload weaponizes the vulnerability within /dev/vpu, gaining direct visibility into kernel memory and escalating privileges to root.
• Systemic Compromise: Upon attaining root access, an adversary can systematically deactivate security mitigations, establish persistent backdoors, harvest application data, and manipulate low-level device operations.

In a real-world scenario, the primary payload delivery mechanism would likely manifest as malicious audio or multimedia content processed automatically by Android’s background subsystems. It is precisely this characteristic that classifies the chain as a zero-click exploit; the smartphone owner is not required to traverse a hyperlink, install an untrusted package, or authorize file execution. Ingress is achieved seamlessly when the vulnerable component autonomously parses the incoming data stream.

Project Zero disclosed the VPU driver vulnerability to Google on November 24, 2025. The Android Vulnerability Reward Program subsequently classified the issue within the high-severity spectrum. A definitive remedy was deployed 71 days later within the February 2026 Pixel security bulletin. For kernel-level and driver-specific flaws within the Android ecosystem, this turnaround represents an expedited remediation timeline, as analogous patches historically required intervals exceeding 90 days.

The researchers highlighted a commendable shift in Google’s triage responsiveness. A defect of equivalent magnitude within the legacy BigWave driver had initially received a more lenient risk categorization, whereas this nascent VPU flaw was immediately recognized as a severe threat. Nevertheless, the discovery raises unsettling questions regarding the development lifecycle of low-level Android components. Merely five months following the remediation of the BigWave incident, an elementary validation error—conspicuous even during a brief code review—was introduced in a new driver authored by the identical engineering team.

The diagnostic work performed by Project Zero underscores why hardware drivers persist as one of the most hazardous frontiers in mobile security. These components bridge the gap between the Android operating system and physical hardware blocks, executing in close proximity to the kernel and routinely possessing memory access privileges denied to conventional applications. Within this realm, a failure to validate sizes, boundaries, or addresses does not merely cause a localized application crash; it surrenders absolute dominion over the entire operating system.

For the consumer base, the pragmatic takeaway remains straightforward: the Pixel 10 and corollary Android hardware must be kept meticulously updated with the latest security definitions. The exploit chain articulated by Project Zero is tailored exclusively for unpatched systems and is effectively neutralized by contemporary updates. For original equipment manufacturers (OEMs), the mandate is considerably more stringent: rapid post-incident patching mitigates immediate exposure, but it can never substitute for a rigorous, preemptive driver audit prior to commercial market introduction.