Google Pixel 10 Zero-Click Exploit Chain Discovered

Security researchers have developed a zero-click exploit chain for Google Pixel 10 that achieves root access through just two vulnerabilities. The exploit updates a previously discovered Dolby vulnerability (CVE-2025-54957) that affected all Android devices until patching in January 2026. Since the Pixel 10 removed the BigWave driver, researchers identified an alternative vulnerability in the new VPU driver used for video decoding on the Tensor G5 chip. The VPU driver, developed by the same team behind the BigWave driver, contained critical flaws discovered during security auditing. The exploit only functions on unpatched devices running security patches from December 2025 or earlier. Source: Security Research Publication.