Pixel 10 can be rooted from a silent, zero‑click chain that pivots on a Dolby audio flaw and a library offset tweak.
The Two‑Step Attack
The first hop re‑uses the Dolby 0‑click vulnerability that existed across all Android until patched in January 2026. The second hop exploits CVE‑2025‑54957, a buffer overflow in the decoder’s syncframe handling. On Pixel 9 the chain required a handful of offset adjustments; on Pixel 10 the same logic applies, but the library now uses RET PAC instead of the old ‑fstack‑protector.
RET PAC vs. __stack_chk_fail
Because Pixel 10’s library no longer exports __stack_chk_fail, the original overwrite vector is unavailable. The authors sidestepped this by targeting dap_cpdp_init, a one‑time initialization routine that can be overwritten without breaking functionality. After a few trials, they found the correct offset in the Pixel 10 library and redirected execution to their malicious payload.
Why It Matters
The chain demonstrates that even the latest Pixel hardware still depends on legacy audio code paths that can be abused. A single, silent exploit can grant root, bypassing all user‑level defenses. For defenders, this means patching the Dolby bug is only the first step; the underlying library must also be hardened against offset‑based attacks.
Forward Look
Project Zero’s work shows that zero‑click chains can evolve with each new OS release. As Android vendors ship newer hardware, the same pattern—legacy audio flaw plus library offset tweak—remains a viable attack vector. Developers must audit all third‑party libraries for similar vulnerabilities and consider architectural changes like removing RET PAC‑protected paths from the attack surface.
Source: A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens
Domain: projectzero.google
Comments load interactively on the live page.