Google Project Zero disclosed a zero-click exploit chain for Pixel 10 that adapts the Dolby decoder vulnerability CVE-2025-54957 and chains it with a local privilege-escalation flaw in the Pixel 10 VPU driver. The writeup says unpatched devices with December 2025 security patch level or earlier are vulnerable, and the VPU mmap bug can expose physical memory and enable kernel code execution.
Why it matters: A published zero-click-to-root chain is high-impact because it lowers the bar for attackers and confirms severe exposure on unpatched Pixel 10 devices. Affected users and enterprise defenders should verify Android security patch levels and prioritize remediation.
Seth Jenkins
2026.05.13
100% relevant
This article establishes the story by newly documenting the specific Pixel 10 exploit chain, the reused CVE-2025-54957 entry point, and a distinct VPU kernel flaw used for privilege escalation.
← Back to all stories