A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens

We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it was patched in January 2026. While we had an exploit chain for the Pixel 9, we wanted to see if it was possible to write a similar exploit chain for Pixel 10. Updating the Dolby Exploit Altering our exploit for CVE-2025-54957 was fairly straightforward. The majority of needed changes involved updating offsets calculated for the specific version of the library we targeted on the Pixel 9 to similar offsets in the library for Pixel 10. The only challenge (outside of wishing we’d better documented which syncframes contained offsets) was that the Pixel 10 uses RET PAC in the place of -fstack-protector, which meant that __stack_chk_fail wasn’t available to be overwritten by code. After a bit of trial and error, we used dap_cpdp_init, initialization code that can be overwritten without causing functional problems, as it is called once when the decoder is initialized and never again.

The article describes a Google Project Zero exploit chain for the Pixel 10 that was adapted from a prior Pixel 9 chain, updating offsets for the Pixel 10 library and replacing the stack-canary overwrite target because Pixel 10 uses RET PAC instead of -fstack-protector. Google Project Zero also reports a second, separate VPU driver bug that enabled arbitrary kernel read-write and could be exploited with only a small amount of code, affecting unpatched devices. CyberSE.AI analysis: although this is not an AI-specific issue, it is a high-severity mobile exploit and supply-chain-adjacent vulnerability disclosure that can inform defensive testing, exploit-resilience review, and red-teaming of mobile-facing or device-management workflows.