Project Zero chained CVE-2025-54957 (Dolby UDC) with a new VPU driver bug to achieve 0-click root on Pixel 10.
Key Takeaways
Dolby exploit porting to Pixel 10 was mostly offset updates; RET PAC replaced stack canary, requiring a new overwrite target (dap_cpdp_init).
BigWave driver absent on Pixel 10, but the Tensor G5 VPU driver (/dev/vpu) for the Chips&Media Wave677DV exposes chip MMIO directly to userspace.
The VPU mmap handler calls remap_pfn_range with no size bound, letting any caller map arbitrary physical memory including the full kernel image.
Kernel is at a fixed physical offset from VPU memory on Pixel, so no scanning needed; arbitrary kernel r/w required 5 lines of code.
Google patched in 71 days (February Pixel bulletin), the first Android driver bug the researcher saw patched within 90 days.
Hacker News Comment Review
Commenters noted the kernel-exposure bug was trivially spotted on cursory audit, raising concern about how many similar issues remain in other vendor drivers.
One commenter highlighted the researcher’s own quote that this is the first Android driver bug patched within 90 days, flagging that as alarming context for the broader Android ecosystem outside Google’s Pixel line.
Notable Comments
@greesil: flags that sub-90-day patch time being a first is “kind of frightening” for non-Pixel Android devices.
