Pixel 10 Zero-Click-to-Root Dolby CVE-2025-54957 and /dev/vp...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectzero.google/2026/05/pixel-10-exploit.html
• Blog Title: Pixel 10 Zero-Click-to-Root: Dolby CVE-2025-54957 and /dev/vpu Kernel mmap Privilege Escalation
• Suggested Section: Binary Exploitation / Android or Linux Kernel Exploitation; alternatively Mobile Pentesting / Android Applications Pentesting / Android Media Pipelines Image Parsers for the Dolby zero-click portion

🎯 Content Summary

Google Project Zero explains how a previous Pixel 9 zero-click-to-root exploit chain was adapted to Pixel 10. The original chain used two bugs: a Dolby UDC zero-click vulnerability affecting Android broadly, CVE-2025-54957, and a Pixel 9 BigWave driver local privilege escalation. For Pixel 10, the Dolby exploit remained mostly portable, but the BigWave privilege-escalation stage had to be replaced because BigWave is not shipped on Pixel 10.

1. Updating the Dolby z...

🔧 Technical Details

Exploit porting when compiler hardening changes overwrite targets: When adapting a memory-corruption exploit to a new device or library version, update all version-specific offsets and re-evaluate control-flow or overwrite targets affected by compiler hardening. In this case, Pixel 10 replaced -fstack-protector behavior with RET PAC, so __stack_chk_fail was no longer a usable overwrite target. A practical replacement was dap_cpdp_init, an initialization routine called once during decoder setup and never again. The abstract trick is to search for one-shot initialization functions or other post-initialization-dead code paths that can be overwritten without destabilizing the process after the exploit has gained control.

Unbounded MMIO mmap as a physical-memory read/write primitive: A kernel driver is vulnerable when its mmap handler maps a fixed physical device base into userspace but trusts the caller...

🤖 Agent Actions

Done.

Updated:

• src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md

What I added:

• A new section documenting the Pixel 10 /dev/vpu unbounded mmap() MMIO bug
• Why trusting vm->vm_end - vm->vm_start in remap_pfn_range() yields a physical-memory mapping primitive
• A short exploitation model from mediacodec to kernel .text/.data R/W
• Reviewer guidance on bounding MMIO mappings
• References to the Project Zero Pixel 10 blog and the issue tracker

Why only this:

• The Dolby UDC bug was already covered in existing HackTricks content.
• The new, non-duplicated technique was the kernel-driver side: oversized MMIO mmap() exposing contiguous physical memory.

Validation:

• Checked the diff and verified the internal ref path.
• mdbook build could not be executed here because mdbook is not installed in the environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectzero.google/2026/05/pixel-10-exploit.html

Content Categories: Based on the analysis, this content was categorized under "Binary Exploitation / Android or Linux Kernel Exploitation; alternatively Mobile Pentesting / Android Applications Pentesting / Android Media Pipelines Image Parsers for the Dolby zero-click portion".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0