Tracing the Pixel 10 Zero-Click Exploit

In a striking development, researchers successfully ported a zero-click exploit from the Pixel 9 to the Pixel 10, overcoming the latter’s fortified defenses such as RET PAC. The critical weak point? A flaw in the Pixel 10’s Video Processing Unit (VPU) driver that grants user-space processes direct access to kernel memory mapping and modification. This isn’t a minor slip. The exploit chain leverages that driver weakness to escalate privileges with minimal code execution, sidestepping many traditional barriers. The rapid adaptation of a legacy Dolby vulnerability to new hardware exposes persistent challenges in driver-level security. Google’s patch arrived within 71 days, signaling a more agile security posture—but it also raises urgent questions about the risk surface exposed by complex driver interactions in Android’s layered architecture.

From Dolby Flaw to Kernel Access: The Exploit Chain

The Pixel 10 exploit chain began with a Dolby audio driver vulnerability first seen on Pixel 9. Researchers showed how this legacy flaw could be adapted despite new mitigations like RET PAC (Return Pointer Authentication Code), designed to block control-flow hijacking. The attackers bypassed these hardware protections, proving that such defenses alone don’t suffice without robust software hardening. The breakthrough was a newly discovered vulnerability in the Pixel 10’s VPU driver that allowed direct mapping and modification of kernel memory from user space. Kernel memory is supposed to be strictly off-limits to unprivileged code. Exploiting this flaw gave attackers powerful privilege escalation with minimal initial code execution, effectively granting full OS control. Reported in late 2025, the vulnerability was patched in just 71 days—a notably faster response than previous incidents. This suggests improved coordination in Android’s vulnerability management, especially for complex hardware-software interactions. Yet the root cause reveals a deeper risk: drivers like the VPU, which bridge hardware and software, remain fertile ground for critical vulnerabilities. These components run with high privileges and complex codebases, making them attractive targets. The Pixel 10 exploit highlights the ongoing challenge of securing drivers against sophisticated zero-click attacks that require no user interaction. By combining a legacy Dolby flaw with a VPU driver vulnerability, attackers created a potent vector. This case underscores the need for rigorous driver security audits and proactive risk spotting within Android’s layered defense. Without that vigilance, even devices with advanced hardware protections remain vulnerable to stealthy, high-impact exploits.

What This Means for Android Security Practices

The Pixel 10 exploit exposes a persistent tension in Android security: pushing rapid innovation while thoroughly vetting legacy components. Google’s swift patching within 71 days is progress, but the vulnerability’s root in a driver inherited from complex hardware-software interplay shows new architectures often carry subtle, hard-to-detect weaknesses. Hardware-enforced mitigations like RET PAC raise the bar, yet attackers still find ways through less scrutinized subsystems such as the VPU driver. This points to a blind spot in driver-level security audits, especially for proprietary or specialized hardware modules with limited source transparency. The exploit’s zero-click nature magnifies risk by removing any need for user interaction. This challenges threat models focused on user-mediated attacks. Can Android’s layered defenses keep pace with evolving zero-interaction threats, or is a fundamental rethink of privilege boundaries and kernel-driver isolation needed? Balancing security without sacrificing performance or hardware capabilities remains a classic engineering trade-off, often leaving subtle vulnerabilities hidden. While the patch was quick, the detection latency before public disclosure is unknown. Zero-click exploits are stealthy by design, so the window of exposure may be longer than reported. This calls for improved proactive monitoring and anomaly detection within Android’s hardware abstraction layers. As Pixel devices integrate advanced multimedia and AI processing units, the security community must watch how these evolving components reshape the attack surface. The Pixel 10 exploit is a warning: hardware innovation without equally rigorous security scrutiny can invite sophisticated, hard-to-mitigate threats.

Lessons for Engineers and Security Teams

The Pixel 10 exploit drives home a simple reality: hardware upgrades and security features alone don’t guarantee immunity. Legacy vulnerabilities, especially in complex subsystems like multimedia drivers, persist and evolve to bypass new protections. Engineers can’t relax vigilance with each new chip or patch. Continuous scrutiny of driver code—especially components with privileged hardware access—is essential. Security teams should prioritize early detection of subtle driver flaws, often critical attack surfaces. The Pixel 10 case shows that even mitigations like RET PAC can be circumvented when multiple vulnerabilities are chained. Layered defenses and comprehensive testing—including real-world exploit scenarios—are crucial. Rapid patch cycles, like the 71-day turnaround here, are necessary but not sufficient. Underlying processes for discovery, triage, and fix verification must be robust and proactive. Integrating fuzzing, continuous integration testing, and threat modeling focused on driver interfaces can catch weaknesses before exploitation. For Android developers and hardware integrators, the message is clear: security must be baked in from the ground up, with relentless attention to the often-overlooked driver layer. Each platform iteration is a fresh attack surface, not just a patched version of the last. Only then can the cycle of adapted legacy exploits be broken.
Ссылка на первоисточник
Ethan Clarke
Article author
Ethan Clarke
Technical Engineer | Innovating Practical Solutions

Ethan is a 25-year-old technical engineer passionate about bridging complex technology with everyday applications. He writes clear, insightful pieces that demystify engineering challenges and highlight emerging tech trends.

More articles by the author