Google Project Zero Demonstrates 0-Click Exploit Chain Achieving Root Access on Pixel 10

Google Project Zero researchers have successfully developed a functional 0-click exploit chain targeting the Google Pixel 10, achieving full root access on Android with just two exploits. This research follows a previously disclosed exploit chain for the Pixel 9, demonstrating that the underlying vulnerability class posed a broader threat across multiple device generations and potentially the entire Android ecosystem.

The exploit builds on CVE-2025-54957, a critical Dolby vulnerability that researchers describe as existing across all of Android until its patch in January 2026. Adapting the Pixel 9 exploit to the Pixel 10 required primarily updating memory offsets specific to the library version targeted. However, researchers encountered a significant architectural difference: the Pixel 10 implements Return-Oriented Programming authentication (RET PAC) in place of the traditional -fstack-protector mechanism. This change eliminated __stack_chk_fail as an overwrite target, forcing the team to identify alternative code execution paths. After iterative testing, researchers leveraged dap_cpdp_init initialization code as a viable workaround to achieve code execution.

The findings highlight persistent security challenges in Android's attack surface, even on flagship devices with modern hardening measures. A 0-click exploit—requiring no user interaction—capable of escalating to root represents a severe threat model, particularly in targeted surveillance scenarios. The successful bypass of RET PAC on Pixel 10 suggests that hardware-level security features, while raising the cost of exploitation, remain circumventable for sophisticated actors. Project Zero's public disclosure and functional demonstration provide device manufacturers and the broader security community critical intelligence for hardening future Android implementations against similar attack vectors.