Project Zero rebuilt its two‑stage zero‑click exploit for the newer Pixel 10, extending the chain that previously gave root on the Pixel 9. The original Dolby vulnerability (CVE‑2025‑54957) spanned every Android release until a January 2026 patch. Updating the exploit meant recalculating library offsets and bypassing the device’s RET PAC protection by hijacking the dap_cpdp_init routine, which runs only once during decoder startup.

Pixel 10 drops the BigWave driver, exposing a fresh /dev/vpu interface tied to the Chips&Media Wave677DV accelerator. Auditing the VPU driver with Jann Horn revealed an mmap handler that remaps physical memory without bounds, allowing a user to map the entire kernel image by requesting an oversized region. Because the kernel’s physical base is constant on Pixel devices, attackers can directly overwrite kernel code with just a few lines of user‑space code.

The flaw was reported on 24 Nov 2025, classified as High severity, and received a patch 71 days later in February’s Pixel security bulletin—the fastest vendor response to a driver bug that Project Zero has seen. The episode shows Android’s improved triage while also underscoring that shallow driver errors can still slip through, reinforcing the need for rigorous code audits across the Android stack.