Google Project Zero researchers have disclosed a significant exploit chain targeting the Pixel 10, evolving from a previous 0-click Dolby vulnerability found in the Pixel 9. While porting the exploit, the team discovered a critical kernel vulnerability in a new VPU driver (/dev/vpu) used for video decoding acceleration. This driver, which exposes hardware interfaces directly to userspace, contained a shallow bug in its mmap handler that allowed mapping arbitrary physical memory.
The vulnerability permitted userspace applications to map physical memory beyond the intended register region, granting direct access to the kernel image (.text and .data). Because the kernel's physical address is static on Pixel devices, exploitation was trivial, requiring only a few lines of code to achieve arbitrary kernel read-write capabilities. The issue was patched in the February Pixel security bulletin, showing a significant improvement in Android's vulnerability triage and remediation speed compared to previous driver issues.
Top comments (0)