{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pixel-10/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-54957"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pixel 10","Tensor G5 chip","Wave677DV"],"_cs_severities":["critical"],"_cs_tags":["android","zero-click","privilege-escalation","kernel-exploit"],"_cs_type":"advisory","_cs_vendors":["Google","Chips\u0026Media"],"content_html":"\u003cp\u003eProject Zero researchers developed a zero-click exploit chain for the Google Pixel 10, building upon their previous work on the Pixel 9. The exploit chain leverages two key vulnerabilities: an updated exploit for CVE-2025-54957 (a Dolby vulnerability patched in January 2026) and a newly discovered memory mapping vulnerability in the Chips\u0026amp;Media Wave677DV video processing unit (VPU) driver found at /dev/vpu on the Tensor G5 chip. The VPU driver vulnerability allows for arbitrary read/write access to the kernel, leading to complete device compromise. This research highlights the critical need for robust security practices in Android driver development and the importance of rapid patching for newly discovered vulnerabilities. The updated Dolby UDC exploit is effective only on unpatched devices with a security patch level of December 2025 or earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted media file to the target device, leveraging the Dolby vulnerability (CVE-2025-54957).\u003c/li\u003e\n\u003cli\u003eThe crafted media file triggers a vulnerability in the Dolby decoder, allowing code execution in the context of the media process.\u003c/li\u003e\n\u003cli\u003eThe exploit overwrites \u003ccode\u003edap_cpdp_init\u003c/code\u003e in the Dolby library to redirect control flow.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial code execution, but limited privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the \u003ccode\u003e/dev/vpu\u003c/code\u003e device driver for the Chips\u0026amp;Media Wave677DV VPU.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003evpu_mmap\u003c/code\u003e function to map the VPU\u0026rsquo;s MMIO register region into userland, specifying a size larger than the register region.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to map arbitrary physical memory, including the kernel image, into userland.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites kernel functions with malicious code, gaining kernel code execution and root privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this chain grants the attacker complete control over the targeted Google Pixel 10 device. This includes the ability to access sensitive user data, install malicious applications, and perform any action with root privileges. Given the zero-click nature of the initial vulnerability, a large number of devices could be compromised without user interaction. The affected sector is mobile devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts targeting the VPU driver.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected memory mappings involving the \u003ccode\u003e/dev/vpu\u003c/code\u003e device, as indicated by the successful exploitation in the Attack Chain (log source: process_creation).\u003c/li\u003e\n\u003cli\u003eWhile CVE-2025-54957 is patched, monitor for older devices potentially vulnerable to the Dolby exploit, as described in the Overview.\u003c/li\u003e\n\u003cli\u003eReview kernel driver code, particularly memory mapping functions, for similar vulnerabilities as described in \u0026ldquo;The Holy Grail of Kernel Vulnerabilities\u0026rdquo; to prevent future exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T17:21:02Z","date_published":"2026-05-13T17:21:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pixel-10-zero-click/","summary":"A zero-click exploit chain was developed for the Google Pixel 10, achieving root access on Android by exploiting a patched Dolby vulnerability (CVE-2025-54957) and a memory mapping vulnerability in the Chips\u0026Media Wave677DV video processing unit (VPU) driver.","title":"Pixel 10 Zero-Click Exploit Chain via Dolby and VPU Driver Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-pixel-10-zero-click/"}],"language":"en","title":"CraftedSignal Threat Feed — Pixel 10","version":"https://jsonfeed.org/version/1.1"}