OPEN LINK ↗
// 2h agoSECURITY INCIDENT
Project Zero details Pixel 10 exploit chain
Google Project Zero published a write-up showing how a 0-click exploit chain could be built for the Pixel 10 by updating the earlier Dolby UDC exploit and pairing it with a newly found VPU driver bug. The post says the chain can reach kernel read/write on unpatched devices, explains why the Pixel 10 port was possible, and notes that the driver issue was reported in November 2025 and patched in the February Pixel security bulletin after 71 days.
// ANALYSIS
Hot take: this is less a story about a single phone and more a reminder that one shallow driver bug can turn a modern device into a full-kernel compromise.
- –The exploit chain combines a zero-click media parsing bug with a local privilege escalation path, which is the kind of composition attackers actually care about.
- –The VPU issue is especially concerning because the mmap handler failed to bound the mapped range to the hardware register region.
- –Project Zero says the full exploit was simple to build once the bug was found, which points to a process problem rather than a novel attack technique.
- –The write-up also highlights a positive shift: Android triaged the driver issue as High severity and patched it within 90 days.
// TAGS
pixel-10androidproject-zeroexploit-chainzero-clickkernel-vulnerabilityvpu-driversecurity-research
DISCOVERED
2h ago
2026-05-15
PUBLISHED
4h ago
2026-05-15
RELEVANCE
9/ 10
AUTHOR
happyhardcore