HN
Today

A 0-click exploit chain for the Pixel 10

Google's Project Zero dissects a zero-click exploit chain for the Pixel 10, revealing a shockingly simple kernel vulnerability that allows arbitrary physical memory access. This deep dive into a critical security flaw highlights the persistent challenge of driver security in Android, even as Google demonstrates improved patching speeds. Hacker News commenters are particularly intrigued by the ease of discovery, the role of AI in vulnerability assessment, and the broader implications for Android's security posture.

45
Score
6
Comments
#1
Highest Rank
8h
on Front Page
First Seen
May 15, 2:00 PM
Last Seen
May 15, 9:00 PM
Rank Over Time
22123245

The Lowdown

Project Zero, Google's elite security research team, has published a detailed account of a 0-click exploit chain targeting the Pixel 10. Building on previous work that exploited the Pixel 9, this research uncovers new vulnerabilities, particularly in critical hardware drivers, demonstrating the ongoing need for rigorous security practices in software development.

The exploit chain consists of two primary stages:

  • Updated Dolby Exploit: The initial 0-click exploit, originally targeting a Dolby vulnerability (CVE-2025-54957) across Android, was adapted for the Pixel 10. This involved updating offsets and bypassing __stack_chk_fail using dap_cpdp_init due to the Pixel 10's use of RET PAC. This part works on devices patched before December 2025.
  • Novel VPU Driver Vulnerability: For local privilege escalation, a new vulnerability was found in the VPU driver for the Chips&Media Wave677DV silicon on the Tensor G5 chip, replacing the BigWave driver from the Pixel 9. The bug, found with a mere two hours of auditing, allowed userspace to map arbitrary physical memory due to an unbounded remap_pfn_range call in the vpu_mmap function. Crucially, the kernel's consistent physical address on Pixel devices makes exploiting this trivial, enabling arbitrary kernel read/write with just five lines of code.

Project Zero reported the VPU bug in November 2025, and it was patched in February 2026—a notably fast 71-day turnaround, marking a positive shift in Android's triage process. Despite this improvement, the team emphasizes that the existence of such a shallow, critical vulnerability underscores the persistent need for more robust, security-aware code in Android drivers and proactive auditing by vendors.

The Gossip

AI's Role in Exploit Revelation

Commenters ponder the emerging role of Artificial Intelligence in discovering security vulnerabilities. One user provocatively asks if a large language model could identify the specific kernel bug, demonstrating that a specific LLM successfully did so. This leads to a discussion on whether AI will eventually dominate exploit discovery or if human expertise will remain paramount, especially given the perceived increase in published exploits.

Alarming Android Vulnerabilities

Many in the community express concern and surprise over the simplicity and severity of the kernel vulnerability. The fact that a 'holy grail' bug allowing arbitrary physical memory access was found with minimal effort is alarming to readers, prompting questions about the general security rigor of Android drivers and the potential for other undiscovered critical flaws.

Patching Paces & Practices

The improved patch time of 71 days for this specific Android bug is noted as a positive step, contrasting with previous experiences. However, this progress is tempered by concerns about the general state of Android security and comparisons are drawn to other operating systems or hardened distributions like GrapheneOS, which achieves high security levels even on the same hardware where Google struggles with fundamental issues like kernel address randomization.