Pixel 10 Zero-Click Exploit Chain via Dolby and VPU Driver Vulnerabilities

Project Zero researchers developed a zero-click exploit chain for the Google Pixel 10, building upon their previous work on the Pixel 9. The exploit chain leverages two key vulnerabilities: an updated exploit for CVE-2025-54957 (a Dolby vulnerability patched in January 2026) and a newly discovered memory mapping vulnerability in the Chips&Media Wave677DV video processing unit (VPU) driver found at /dev/vpu on the Tensor G5 chip. The VPU driver vulnerability allows for arbitrary read/write access to the kernel, leading to complete device compromise. This research highlights the critical need for robust security practices in Android driver development and the importance of rapid patching for newly discovered vulnerabilities. The updated Dolby UDC exploit is effective only on unpatched devices with a security patch level of December 2025 or earlier.

Attack Chain

1. The attacker sends a crafted media file to the target device, leveraging the Dolby vulnerability (CVE-2025-54957).
2. The crafted media file triggers a vulnerability in the Dolby decoder, allowing code execution in the context of the media process.
3. The exploit overwrites dap_cpdp_init in the Dolby library to redirect control flow.
4. The attacker gains initial code execution, but limited privileges.
5. The attacker interacts with the /dev/vpu device driver for the Chips&Media Wave677DV VPU.
6. The attacker exploits the vpu_mmap function to map the VPU’s MMIO register region into userland, specifying a size larger than the register region.
7. This allows the attacker to map arbitrary physical memory, including the kernel image, into userland.
8. The attacker overwrites kernel functions with malicious code, gaining kernel code execution and root privileges.

Impact

Successful exploitation of this chain grants the attacker complete control over the targeted Google Pixel 10 device. This includes the ability to access sensitive user data, install malicious applications, and perform any action with root privileges. Given the zero-click nature of the initial vulnerability, a large number of devices could be compromised without user interaction. The affected sector is mobile devices.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts targeting the VPU driver.
• Monitor for unexpected memory mappings involving the /dev/vpu device, as indicated by the successful exploitation in the Attack Chain (log source: process_creation).
• While CVE-2025-54957 is patched, monitor for older devices potentially vulnerable to the Dolby exploit, as described in the Overview.
• Review kernel driver code, particularly memory mapping functions, for similar vulnerabilities as described in “The Holy Grail of Kernel Vulnerabilities” to prevent future exploits.