Project Zero's Pixel 10 chain shows Android mitigations still leave a zero-click path to root
Google Project Zero's Pixel 10 zero-click chain shows how Android hardening changes exploit shape without removing reachable attack surface in media parsing and device drivers.
Google Project Zero's Pixel 10 exploit chain shows that Android's modern mitigations can change an exploit without breaking the chain. The published research adapts an earlier Pixel 9 zero-click-to-root path to Pixel 10 using CVE-2025-54957 in Dolby UDC as the remote entry point and a Pixel 10 VPU driver as the escalation surface. The uncomfortable detail is not that one bug existed. It is that the attack path still needed only two major links: a zero-interaction media decoder bug and a reachable privileged driver.
This is the useful part of the research. It does not say RET PAC is useless. It says that mitigation success has to be measured at chain level, not primitive level. A mitigation that removes one overwrite target is doing real work. A platform that still exposes a new overwrite target in the same parsing path and a new device driver in the same sandbox context has not solved the attacker workflow. It has made the workflow more specialised.
What Project Zero published
Project Zero published the Pixel 10 write-up on 13 May 2026. It followed two January posts that built a Pixel 9 chain from a zero-click context to root. In the Pixel 9 work, Project Zero described how incoming SMS and RCS audio attachments in Google Messages are automatically decoded so audio transcription and related features can operate before a user opens the message. That design choice places audio decoders in the zero-click attack surface. A malformed media file no longer needs to persuade a user to tap play. The platform has already agreed to parse it.
The entry bug is CVE-2025-54957, a Dolby Unified Decoder issue. NVD describes it as affecting Dolby UDC 4.5 through 4.13. When Evolution data is processed from a DD+ bitstream, the decoder writes that data into a buffer. A length calculation can overflow through integer wraparound, causing the allocated buffer to be too small and making the later bounds check ineffective. The result is an out-of-bounds write. NVD assigns it CVSS 9.8 critical with network attack vector, low attack complexity, no privileges required and no user interaction required.
Project Zero said the Dolby vulnerability existed across Android until it was patched in January 2026. The Pixel 10 post focuses on what happened after that first link. The team already had a working exploit chain for Pixel 9. The question was whether the same general route could survive the move to Pixel 10.
According to Project Zero, the Dolby exploit adaptation was mostly routine offset work. The researchers updated offsets for the specific library version used on Pixel 10. The meaningful change was mitigation related: Pixel 10 uses RET PAC where the earlier target used -fstack-protector. That removed the __stack_chk_fail overwrite path. The exploit did not vanish. It moved.
Project Zero used dap_cpdp_init, initialisation code called once when the decoder starts and not called again, as the alternative target. The point is narrow but important. Control-flow hardening made one familiar technique unavailable. The exploitable programme still contained initialisation state that could be overwritten without breaking ordinary decoder operation early enough to stop the attack.
RET PAC closed a door, not the building
Return address pointer authentication is not decorative security. On ARM platforms, pointer authentication can make return-oriented programming harder by cryptographically signing control-flow data and checking it before use. RET PAC raises the cost of traditional stack-return corruption. That is a real improvement over relying on stack canaries alone.
The Pixel 10 chain is interesting precisely because it avoids the lazy conclusion that a bypass means a mitigation failed. A mitigation can work exactly as designed and still not remove exploitability. RET PAC changed the shape of the exploit by blocking the route that depended on overwriting __stack_chk_fail. Project Zero then found a different state transition in the decoder, one tied to initialisation rather than repeated runtime control flow.
That pattern is likely to become more common. As mainstream mitigations reduce the availability of obvious corruption targets, exploitation moves into code that looks less like the old textbook examples. Initialisation routines, one-shot setup paths, codec state machines, driver configuration interfaces and error paths become more attractive because they often sit near complex data parsing while receiving less defensive scrutiny than hot control-flow paths.
This is not a call to abandon mitigations. It is a warning against treating mitigation adoption as a platform-level proof. RET PAC can remove classes of return-address abuse. It cannot make a complicated media decoder memory-safe. It cannot make a hardware driver safe to expose to a compromised media process. It cannot compensate for a parser that processes attacker-controlled data before user interaction.
In other words, RET PAC narrowed the corridor. The building still had windows.
The zero-click surface came from useful features
The most important security lesson in the Pixel 9 and Pixel 10 posts is not hidden in the exploit mechanics. It is in the product behaviour that created the entry point. Project Zero's January analysis tied the zero-click surface to AI-powered and convenience features that process message media so users can search, transcribe and understand content more easily. Audio attachments received through SMS and RCS may be decoded automatically. That is useful. It is also a remote parser exposed to untrusted input.
Modern mobile platforms have spent years reducing obvious attack paths. Browsers are heavily sandboxed. Messaging clients have hardened attachment handling. Permissions are more granular. Kernel attack surface is more constrained than it used to be. At the same time, phones increasingly pre-process content on the user's behalf. Messages are indexed. Audio is transcribed. Images are classified. Notifications are enriched. Assistive features need the device to understand content before the user asks for it.
That design trend shifts risk. The attacker no longer needs to persuade the user to open a file if the operating system or application stack opens enough of it automatically. The attack surface is not a button. It is a background service doing helpful work.
This is why the Dolby issue matters beyond a single CVE. NVD's record is a conventional memory corruption entry: integer wraparound, out-of-bounds write, critical severity. Project Zero's research places that bug inside a more consequential system boundary. A codec vulnerability becomes a zero-click vulnerability when the codec is reachable through automatic message processing. A media decoder compromise becomes a device compromise when the decoder's sandbox can reach a kernel driver with the wrong properties.
Security engineering often treats these as separate layers: application parsing, media sandboxing, SELinux policy, kernel driver hardening and hardware interfaces. Attackers treat them as a route map.
The driver boundary remains the weak seam
The Pixel 9 privilege escalation used the BigWave driver, accessible from the mediacodec SELinux context. Project Zero's January post described mediacodec as intended to be a constrained sandbox for non-secure software decoders, then showed that the context could reach /dev/bigwave, a driver for AV1 acceleration hardware. The team found multiple bugs and used one powerful enough to escape the sandbox and gain kernel arbitrary read and write.
Pixel 10 changed the hardware surface. Project Zero said the BigWave driver does not ship on the device. That could have ended the port. Instead, the researchers found /dev/vpu visible from the same mediacodec context. The driver interacts with Chips&Media Wave677DV silicon on the Tensor G5 chip for video decoding. According to Project Zero, the Pixel driver did not integrate with V4L2 in the way the upstream driver for an older related chip did. It directly exposed the chip's hardware interface to userspace, including the ability to map the chip's MMIO register interface.
That is the part defenders should sit with. The first driver disappeared and another one occupied the same strategic position: reachable from a media context and close enough to privileged hardware interaction to matter. The platform changed, but the trust boundary still depended on the correctness of complex low-level code.
Hardware accelerator drivers are a recurring mobile security problem because they sit at the intersection of performance pressure, vendor-specific implementation and privilege. Media workloads need speed. Speed pushes work into specialised silicon. Specialised silicon needs drivers and firmware interfaces. Those interfaces often expose complicated state machines to userspace clients. If a media sandbox is allowed to talk to them, a decoder bug can become the first step rather than the whole incident.
The lesson is not that media sandboxes are pointless. Without a sandbox, decoder compromise would already be too powerful. The lesson is that a sandbox policy is only as strong as the devices it exposes. If the constrained context can access a driver that maps hardware registers or accepts rich command buffers, the sandbox boundary has inherited that driver's entire bug class.
Two links is still too short
Project Zero's Pixel 10 work should bother Android defenders because the chain length remains short. The public write-up describes a path with two conceptual exploits: a zero-click Dolby decoder compromise and a local escalation through a driver reachable from the media context. There is engineering work between those points. Project Zero is clear that building a reliable chain is not a copy-and-paste exercise. But conceptually, the path is compact.
That compactness matters. Defensive depth is supposed to force attackers through multiple independent failures. A remote parser bug should land in a sandbox. The sandbox should have a narrow, boring syscall and device surface. The reachable kernel interfaces should be hardened, memory-safe where possible and hostile to untrusted clients. Escalation from media parsing to root should require more than finding the next exposed accelerator driver.
When two links are enough, the platform is relying heavily on each link being almost perfect. That is a bad bargain for code handling attacker-supplied media and vendor-specific hardware interfaces. Codecs are complex by design. Drivers are difficult to audit at scale. Their interaction is exactly where perfect assumptions go to die.
There is also a patching dimension. Project Zero said the updated Dolby exploit works only on unpatched devices with SPL December 2025 or earlier. That is useful operational guidance, but it does not erase the structural issue. Mobile patch uptake is uneven across vendors, geographies and device fleets. Enterprise mobile device management can improve the situation, but consumer ecosystems and long-tail devices remain slower. A vulnerability that exists across a broad Android component until January 2026 gives attackers time, and automatic parsing gives them a delivery model.
No source used for this post verifies in-the-wild exploitation of this specific Pixel 10 chain. That distinction matters. Research chains are not incident reports. But high-end mobile exploitation markets do not need many such chains to make the economics work. A reliable zero-click route against current devices is valuable precisely because the target does not need to make a mistake.
What defenders can actually take from this
The practical response is not to tell users to avoid audio messages. That advice misunderstands zero-click exposure. If the vulnerable path is automatic processing, user caution is not the control. The relevant controls sit with platform vendors, OEMs, application developers and fleet operators.
For platform engineers, the priority is reducing pre-interaction parsing and making unavoidable parsers memory-safe or more aggressively isolated. If a message feature needs transcription, the parser should run in a context with the least possible access to device nodes, brokered interfaces and kernel attack surface. Media sandbox policy should be reviewed as an exploit-chain control, not a compliance artefact.
For OEMs, the driver lesson is direct. Hardware accelerator drivers reachable from media contexts need the same threat model as browser-exposed attack surface. They should not expose raw hardware interfaces to userspace unless there is no alternative, and if there is no alternative then that exposure deserves serious fuzzing, code review and runtime containment. Upstream interface patterns matter. Diverging into direct, bespoke userspace interfaces may buy performance or integration speed, but it can also buy a clean escalation primitive.
For defenders managing Pixel or Android fleets, patch level remains the clearest immediate control. Devices on SPL December 2025 or earlier are the relevant risk group for the updated Dolby exploit described by Project Zero. Monitoring is harder. Media decoder compromise is not noisy by default, and a successful zero-click chain may leave little user-visible evidence. Still, process anomalies from media services, unexpected access to accelerator device nodes and signs of SELinux state tampering are worth treating as high-signal in forensic work.
For security leaders, the broader point is procurement and lifecycle pressure. Mobile device security claims often emphasise mitigation names. RET PAC, sandboxing, SELinux and kernel hardening all matter. The question is how those controls compose when a real chain crosses them. A mitigation inventory is not the same thing as a chain-breaking guarantee.
The shape of modern mobile exploitation
The Pixel 10 chain is a good example of where mobile exploitation has moved. It is less about one spectacular bug and more about finding the seams between components that were each defensible in isolation. A codec parses untrusted media because the product needs automatic understanding. A sandbox contains the codec but exposes acceleration devices because media performance matters. A driver speaks to specialised silicon through a rich interface because hardware offload is complicated. A mitigation blocks the old overwrite target, so the exploit moves into initialisation state.
None of those facts is surprising alone. Together, they describe why modern Android exploitation remains possible after years of serious hardening. The platform has not stood still. Neither have the chains.
Project Zero's work is valuable because it denies both easy narratives. It does not support the claim that mitigations are theatre. RET PAC changed the exploit and removed a usable primitive. It also does not support the claim that modern Android hardening has made zero-click root chains implausible outside mythology. The published research shows that a current-generation device can still be traversed from automatic message media processing to root when the right parser and driver bugs line up.
The unresolved question is how much attack surface users are willing to accept for devices that increasingly read, transcribe and interpret content before being asked. The more useful the phone becomes in the background, the more security depends on invisible parsers and drivers behaving perfectly under hostile input. That is a lot of trust to place in code whose best defence may be that nobody has looked closely enough yet.
Newsletter
One email a week. Security research, engineering deep-dives and AI security insights - written for practitioners. No noise.