Google Project Zero Achieves Zero-Click Remote Root on Pixel 10
Google Project Zero has published research demonstrating a zero-click remote root exploit chain for the Pixel 10, illustrating the evolving frontier of Android security.
The team previously demonstrated a similar chain on the Pixel 9 using a Dolby audio codec zero-click vulnerability, which was patched in January 2026. When targeting the Pixel 10, they found the BigWave driver had been removed, but the new VPU (Video Processing Unit) driver on the Tensor G5 chip contained an equally dangerous and remarkably shallow flaw.
The VPU driver’s vpu_mmap function performed no bounds checking on memory mapping size, allowing attackers to map arbitrary physical memory starting from the VPU register region. Since Pixel devices map the kernel at a fixed physical address, attackers can bypass KASLR trivially. The team reported that achieving arbitrary kernel read-write required just 5 lines of code, and writing the full exploit took under a day.
Android VRP rated this vulnerability as “High” severity — an improvement over the “Moderate” rating given to the similarly impactful BigWave bug on the Pixel 9. The vulnerability was patched within 71 days of reporting, appearing in the February Pixel security bulletin.
Project Zero emphasized that driver security remains a critical weak point in the Android ecosystem. The report urges chip makers and driver developers to adopt proactive code auditing practices rather than relying on external security researchers to find blatantly obvious vulnerabilities.
For those tracking the AI and agent ecosystem, this research carries a broader implication: as on-device AI and agent applications increasingly rely on specialized hardware blocks (NPUs, VPUs) in mobile SoCs, the security of these novel drivers will directly determine the trustworthiness of the entire ecosystem. The Tensor G5 is Google’s first fully in-house smartphone chip, and the security lessons from its VPU driver are directly relevant to any AI chip maker building custom silicon.