A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens
Google Project Zero shows how its earlier Dolby zero-click bug (CVE-2025-54957) was adapted from Pixel 9 to Pixel 10 by retargeting library offsets and replacing the old __stack_chk_fail overwrite with a one-shot function pointer target, dap_cpdp_init, because the newer build used RET PAC instead of a stack protector. For privilege escalation, the researchers found Pixel 10 no longer shipped the BigWave driver used in the previous chain, but a quick audit of the new /dev/vpu driver for the Chips&Media Wave677DV uncovered an mmap bug in vpu_mmap that passes an attacker-controlled VMA length to remap_pfn_range without bounding it to the MMIO region size. That mistake lets an unprivileged process map arbitrary physical memory starting from the VPU register area, which on Pixel includes the kernel image at a stable physical offset, giving straightforward arbitrary kernel read/write and enabling kernel code execution with minimal exploit logic. The post is significant both because it documents a practical zero-click-to-root chain on a flagship Android device and because it highlights a recurring class of dangerously shallow vendor-driver bugs that survive into production despite prior disclosures.