On May 16, 2026, Google’s Project Zero security research division published a critical vulnerability disclosure detailing a highly sophisticated, zero-click exploit chain that compromises the newly released Google Pixel 10 smartphone ecosystem.
The security advisory demonstrates how remote threat actors can silently execute malicious code, dismantle native kernel protections, and escalate privileges to full root administrative authority. Crucially, the attack requires zero user interaction—the victim does not need to click a link, download an application, or grant a single system permission.
The exploit chain bridges a legacy media parsing flaw with a newly introduced hardware abstraction layer driver. It exposes structural blind spots in how hardware components interact with core Android memory models.
The Exploit Mechanics: Bypassing the RET PAC Shield
The entry point of the attack is a port of previous research conducted on the Pixel 9 generation, which weaponized an integer overflow vulnerability (CVE-2025-54957) inside the third-party Dolby Media Framework library.
Because Android automatically decodes and processes incoming rich media files (such as audio clips received via RCS or SMS messaging) for instant transcription features, an attacker can trigger the bug simply by routing a malformed media file to the target device.
Plaintext
Malicious RCS Audio File ➔ Mediaserver Parsing ➔ Memory Offset Manipulation ➔ 'dap_cpdp_init' Hijack ➔ RET PAC Defeated
However, porting the exploit to Pixel 10 required researchers to defeat Google’s upgraded hardware protection mechanism: Return Address Pointer Authentication (RET PAC).
RET PAC signs return addresses in memory to block traditional stack-smashing methodologies. Because the standard target function (__stack_chk_fail) was fortified by this cryptographic defense, Project Zero engineers scanned the unpatched Dolby library execution flow and isolated an alternative target: the dap_cpdp_init initialization function.
By strategically hijacking this specific pointer before the runtime context validated system integrity, the researchers cleanly bypassed RET PAC, achieving remote code execution (RCE) inside the restricted mediaserver user space.
The Kernel Escalation: Exploiting the Tensor G5 VPU Driver
While the initial sandbox breach relied on modified memory offsets from the prior generation, escalating from a restricted media process to full root control required a brand-new attack path tailored to the Pixel 10’s custom silicon architecture.
The Pixel 10 utilizes Google’s new Tensor G5 chip, which interfaces with a Chips&Media Wave677DV video processing unit. To allow user-space processes to interact with this hardware accelerator, the operating system relies on a newly deployed kernel driver located at /dev/vpu.
Project Zero’s brief audit of the /dev/vpu driver exposed a critical flaw in its core memory mapping infrastructure:
- The Bound Validation Defect: When a user space process passes an
mmapallocation request to the VPU driver, the code fails to validate the requested memory length boundaries before executing theremap_pfn_rangekernel function. - Arbitrary Physical Space Exposure: An attacker can purposefully request an oversized memory map. Because the driver enforces no outer limits, the kernel mistakenly maps massive swaths of raw physical memory directly into the attacker’s controlled user space.
Because the Android kernel is loaded at highly predictable physical address structures on Pixel hardware, writing a few lines of exploit code allows the attacker to locate and directly overwrite critical kernel data structures, instantly unlocking arbitrary kernel read and write capabilities.
Patching Status and Recurring Engineering Gaps
Google Project Zero quietly reported the underlying hardware driver exploit to Google’s Android security response team on November 24, 2025. Google formally remediated the vulnerabilities within a 71-day window, releasing comprehensive patches as part of the February 2026 Android Security Update.
While the 71-day response window marks a drastic speed improvement compared to historic kernel driver patching timelines, Project Zero highlighted a troubling trend in the vendor supply chain. The vulnerable /dev/vpu driver on the Tensor G5 chip was engineered by the exact same development unit responsible for the flawed “BigWave” driver from the previous generation.
This recurrence strongly implies that hardware-specific coding teams are failing to implement generalized secure development lifecycles (SDL) and cross-component security auditing. As specialized AI, camera, and video processing accelerators increasingly dominate modern smartphone chips, the software drivers managing them are fast becoming the most exposed boundary lines in mobile security.
