TL;DR
Security researchers have identified a zero-click exploit chain affecting the Pixel 10. The chain exploits a Dolby vulnerability and a new VPU driver flaw, only affecting unpatched devices. This highlights ongoing security challenges in Android hardware.
Security researchers have uncovered a zero-click exploit chain affecting the Google Pixel 10, capable of gaining root access without user interaction on devices running unpatched firmware. This development underscores significant security vulnerabilities in the device’s hardware and software stack, raising concerns over remote compromise risks for users who have not applied updates.
The exploit chain involves two main components: a Dolby audio vulnerability (CVE-2025-54957) that was patched in January 2026, and a new vulnerability in the Pixel 10’s VPU driver used for video decoding. Researchers updated an existing Dolby exploit from Pixel 9 to work on Pixel 10, requiring only minor adjustments due to differences in library offsets and the use of RET PAC instead of traditional stack protection.
Additionally, a critical flaw was found in the VPU driver, which directly exposes hardware registers to user space without proper bounds checking. This flaw allows an attacker to map excessive physical memory, including kernel code, via a manipulated mmap syscall. Exploiting this bug enables arbitrary kernel read/write, facilitating privilege escalation. The vulnerability was reported on November 24, 2025, rated high severity, and patched within 71 days in the February 2026 security update.
Why It Matters
This discovery highlights ongoing security challenges in Android devices, especially related to hardware drivers and low-level components. The rapid patching demonstrates progress in Android’s vulnerability response but also underscores the persistent risks posed by unpatched hardware vulnerabilities. For users, it emphasizes the importance of timely updates to prevent exploitation of such flaws.
![FNTCASE for Google Pixel 10a Case: [Compatible with Magsafe] Translucent Matte Cases with [Screen Protector] Military Grade Shockproof Protective Magnetic Phone Cover for Pixel 10A - Black](https://m.media-amazon.com/images/I/41px17Tm3cL._SL500_.jpg)
FNTCASE for Google Pixel 10a Case: [Compatible with Magsafe] Translucent Matte Cases with [Screen Protector] Military Grade Shockproof Protective Magnetic Phone Cover for Pixel 10A – Black
Compatibility: This case only Fits for Google Pixel 10a (6.3 inch, Released in 2026). Please confirm your phone…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The Pixel 10, released in late 2025, shares architectural similarities with its predecessor but introduces new hardware components, including the VPU chip for video processing. Previous research on Pixel 9 revealed a Dolby vulnerability that allowed privilege escalation, which was patched in early 2026. The recent findings extend this security concern to Pixel 10, showcasing both the evolving threat landscape and improvements in Android’s vulnerability management.
“The VPU driver flaw is exceptionally simple to exploit and could allow remote code execution on unpatched Pixel 10 devices.”
— Researcher involved in the discovery
“We prioritize rapid patching of high-severity vulnerabilities to protect users, as demonstrated by the swift fix for this issue.”
— Android Security Team
byepica 5 Pcs Laptop Security Devices, Adhesive Zinc Alloy Plate, Anti-Theft for Tablets & Notebooks, 1.3 in, Easy Installation
Device protection enhancement: strengthen your security with this anti-theft plate; helps avert loss; versatile compatibility with tablets and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is still unclear whether these vulnerabilities have been exploited in active attacks or are being exploited in the wild. Details about potential exploit code circulating outside research circles are not confirmed. The full extent of the vulnerabilities’ impact on other Pixel models or Android devices remains to be assessed.
VPU driver update for Pixel 10
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Google is expected to continue monitoring for exploitation attempts and may release further security updates if additional related vulnerabilities are discovered. Users are advised to apply all available patches promptly. Researchers will likely examine whether similar vulnerabilities exist in other hardware components or Android devices.
RXNMH 2+2 Pack for Google Pixel 10 Privacy Screen Protector & Camera Lens Protector, Support Fingerprint Unlock, Fit Lens Cutouts, Anti Spy Tempered Glass Film, Anti-dust, Easy Installation Tool
【25° Privacy Protection】Our pixel 10 privacy screen protector adopts advanced privacy protection optical tech, the screen is only…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is a zero-click exploit?
A zero-click exploit is a security vulnerability that allows an attacker to compromise a device without any user interaction, such as clicking links or opening files.
Are Pixel 10 devices currently vulnerable?
Only unpatched Pixel 10 devices are vulnerable. Devices updated with the latest security patches, released in early 2026, are protected against these specific vulnerabilities.
Can these vulnerabilities be exploited remotely?
Yes, the vulnerabilities, particularly the Dolby and VPU driver flaws, can be exploited remotely through crafted media or memory mappings, without user interaction.
What should users do to protect their devices?
Users should ensure their Pixel 10 devices are updated to the latest firmware version released by Google, which patches these vulnerabilities.
