Pixel 10 0-click exploit chain demonstrates persistent Android attack surface despite mitigations
Google Project Zero published a 0-click exploit chain for Pixel 10 leveraging CVE-2025-54957 (Dolby vulnerability) and bypassing RET PAC mitigations. The attack requires only two exploits to achieve root access from a zero-interaction context, indicating modern Android devices remain vulnerable despite security hardening.
CVE References
Affected
Project Zero's publication of a 0-click exploit chain for Pixel 10 reveals that the progression from Pixel 9 to Pixel 10 did not materially improve the attack surface for determined adversaries. The Dolby vulnerability (CVE-2025-54957) operated across all Android versions until patching in January 2026, providing a reliable entry point that survived Android's evolutionary hardening.
The technical adaptation work was straightforward for the researchers: offset recalculation for library-specific memory layouts presented only routine porting challenges. The meaningful hurdle was Pixel 10's adoption of RET PAC (return-oriented programming protection) in place of stack canaries. By removing the __stack_chk_fail overwrite vector, Google forced the exploit authors to pivot toward initialization code such as dap_cpdp_init. This is not a failure of RET PAC itself, but rather demonstrates that mitigation layering creates complexity at the cost of introducing alternative gadget chains that still satisfy exploitation requirements.
The implications for device security are sobering. The 0-click requirement means no user interaction is necessary, eliminating the need for social engineering or user deception. This capability places remotely-triggered device compromise within reach for both sophisticated threat actors and state-sponsored operations. The fact that two exploits suffice to reach root indicates insufficient isolation between attack surfaces and privileged execution contexts.
Defenders and OEMs must recognise that defensive depth requires more than offset shuffling and mitigation cycling. Organisations deploying Pixel devices should assume 0-click remote code execution is possible and focus on detection (anomalous process spawning from system daemons), containment (processes running as system user), and rapid security updates. The six-month window from vulnerability discovery to public exploit publication is relevant for incident response: if this vulnerability was similarly exploited in the wild during 2025, forensic investigation should focus on January 2026 as a potential pivot point for infections.
Broader platform implications extend beyond Pixel devices. The Dolby vulnerability crossed the entire Android ecosystem, and exploit adaptation methodology will inform attackers targeting other OEM implementations. The research pattern also reinforces the value of Project Zero's publication strategy: demonstrating that protections believed sufficient are circumventable accelerates industry adoption of genuinely stronger mitigations rather than false confidence in incremental hardening.
Sources