1mo ago · google-project-zero
Google Project Zero discovered a 0-click exploit chain targeting the Google Pixel 10, leveraging a modified version of a previously known Dolby vulnerability (CVE-2025-54957) and a new kernel vulnerability in the VPU driver. The VPU driver exposes MMIO register mappings without proper bounds checking, allowing arbitrary physical memory mapping and kernel memory modification from userspace. This enables trivial privilege escalation to kernel code execution. The vulnerability was reported in November 2025 and patched in the February 2026 Pixel security bulletin, marking improved triage response from Android.