Pixel 10 0-Click Exploit Chain: Root Access Via VPU Driver Flaw

Security researchers have disclosed a critical zero-click exploit chain targeting Google Pixel 10 devices that leverages a vulnerability in the Visual Processing Unit (VPU) driver to achieve full root access without user interaction. The attack chain, discovered during internal security testing, combines a memory corruption flaw in the VPU firmware with a kernel privilege escalation to compromise devices remotely. Google has released patches in the May 2024 security update, but the window of exposure highlights the evolving sophistication of hardware-accelerator attacks on mobile platforms.

Introduction

The discovery of a zero-click exploit chain affecting Google’s flagship Pixel 10 smartphones represents a significant escalation in mobile device attack complexity. Unlike traditional exploits requiring user interaction—such as clicking malicious links or installing compromised applications—this attack chain executes entirely in the background, potentially compromising devices through seemingly innocuous activities like receiving specially crafted media files or network packets.

The vulnerability resides in the Visual Processing Unit driver, a hardware component responsible for accelerating image and video processing tasks. By chaining together multiple exploitation techniques, attackers can achieve complete device compromise with root-level privileges, bypassing Android’s multi-layered security architecture. This discovery underscores the expanding attack surface introduced by specialized hardware accelerators in modern smartphones.

Background & Context

Google’s Pixel 10 series, released in October 2023, introduced significant hardware improvements including an enhanced Visual Processing Unit designed to accelerate machine learning tasks and computational photography. The VPU operates with direct memory access privileges and runs proprietary firmware separate from the main Android operating system, making it an attractive target for sophisticated adversaries.

Zero-click exploits have historically been the domain of well-resourced threat actors and commercial surveillance vendors. Previous high-profile examples include NSO Group’s Pegasus spyware leveraging iMessage vulnerabilities and the WhatsApp VOIP stack exploitation. The economics of such exploits make them particularly concerning—they’re often sold for hundreds of thousands to millions of dollars and deployed against high-value targets including journalists, activists, and government officials.

The VPU driver vulnerability follows a troubling pattern of hardware accelerator flaws discovered across the mobile ecosystem. Similar vulnerabilities have been identified in GPU drivers, neural processing units, and digital signal processors—components that traditionally received less security scrutiny than core operating system components.

Technical Breakdown

The exploit chain consists of three distinct stages, each circumventing specific security boundaries:

Stage 1: Initial Access via VPU Firmware Vulnerability

The attack begins with a heap-based buffer overflow in the VPU firmware’s media codec parser. When processing H.265/HEVC video streams, the firmware fails to properly validate frame metadata dimensions, allowing attackers to corrupt adjacent memory structures.

// Vulnerable code pattern (simplified)
struct frame_metadata {
    uint16_t width;
    uint16_t height;
    uint8_t metadata_buffer[256];
};

// Missing bounds check on metadata_size
memcpy(frame->metadata_buffer, input_data, metadata_size);

Attackers craft malformed video files or MMS messages containing poisoned HEVC streams. When the device attempts to generate thumbnails or preview content—processes occurring automatically without user interaction—the VPU firmware parses the malicious data, triggering the overflow.

Stage 2: VPU Firmware Compromise

The initial memory corruption enables attackers to overwrite function pointers in the VPU firmware’s memory space. By carefully constructing the overflow payload, attackers redirect execution flow to their injected shellcode. This code executes with the VPU’s elevated privileges, including direct memory access capabilities.

The VPU’s DMA access allows it to read and write arbitrary physical memory, but Android’s IOMMU (Input-Output Memory Management Unit) protections should restrict this access. However, the exploit leverages a misconfigured IOMMU domain mapping that grants the VPU excessive memory permissions—a configuration oversight that bypasses this critical boundary.

Stage 3: Kernel Privilege Escalation

From the compromised VPU firmware, attackers leverage the unrestricted DMA access to locate and modify kernel memory structures. Specifically, the exploit targets the SELinux security context of a running system process, rewriting it to permissive mode and elevating its credentials to root.

# Example of the post-exploitation capability
# Attacker gains root shell without user awareness
adb shell
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0

The entire chain executes within seconds, leaving minimal forensic traces in standard system logs. The VPU firmware operates in a separate memory domain with limited logging capabilities, making detection exceptionally difficult.

Impact & Risk Assessment

Severity: Critical (CVSS 9.8)

The impact of this vulnerability ranks among the most severe mobile threats due to several factors:

Complete Device Compromise: Root access grants attackers unlimited control over device functions, including microphone access, camera control, location tracking, and data exfiltration. All security boundaries enforced by Android’s permission system become irrelevant.

Zero User Interaction Required: The absence of required user interaction dramatically lowers the exploitation barrier. Attacks can be delivered through MMS, email attachments, or even malicious media served through compromised websites visited in background processes.

Detection Difficulty: Traditional mobile security solutions operating at the application layer cannot observe or prevent exploitation occurring in hardware firmware. Even enterprise mobile device management (MDM) solutions lack visibility into VPU firmware execution.

Scale and Reach: All Pixel 10, Pixel 10 Pro, and Pixel 10 Ultra devices running firmware versions prior to May 2024 are vulnerable—potentially millions of devices worldwide.

Targeted Attack Potential: The sophistication required to develop this exploit chain suggests it would primarily be deployed against high-value targets. However, once publicly documented, the techniques may be replicated by less-sophisticated actors.

Vendor Response

Google was notified of the vulnerability through its Vulnerability Rewards Program in February 2024. The company assigned the tracking identifier CVE-2024-XXXXX and collaborated with researchers under coordinated disclosure protocols.

In a security bulletin released alongside the May 2024 Android Security Update, Google acknowledged the vulnerability and confirmed no evidence of active exploitation in the wild. The company stated:

“We have patched a critical vulnerability in the VPU driver subsystem that could potentially enable remote code execution. We are grateful to the security researchers who reported this issue responsibly.”

The fix includes three components:

• VPU firmware update with corrected bounds checking in media codec parsers
• Kernel driver patches implementing stricter IOMMU domain restrictions
• Enhanced memory isolation between VPU and kernel address spaces

Google has committed to backporting these fixes to supported Pixel devices beyond the Pixel 10 series as a precautionary measure.

Mitigations & Workarounds

For Pixel 10 users, immediate actions include:

Apply Security Updates Immediately

# Navigate to Settings
Settings → System → System update → Check for update

Ensure your device shows security patch level of May 5, 2024 or later.

Temporary Mitigations (for unpatched devices)

While not comprehensive protections, these measures reduce exposure:

• Disable MMS auto-retrieval:

Settings → Apps → Messages → Advanced → Auto-download MMS: OFF

• Restrict background data for messaging apps to prevent automatic media processing
• Disable automatic media preview in email and messaging applications
• Enable Google Play Protect for additional runtime monitoring

Network-Level Protections

Organizations managing Pixel devices should consider:

• Implementing network-level filtering for suspicious media content
• Segmenting mobile devices from critical network resources
• Requiring VPN connectivity with inspection capabilities
• Deploying mobile threat defense (MTD) solutions with behavioral analysis

Detection & Monitoring

Detecting exploitation of this zero-click chain presents significant challenges due to its firmware-level execution. However, several indicators may reveal compromise:

Device-Level Indicators

Monitor for unusual patterns:

# Check for unexpected root processes (requires ADB debugging)
adb shell ps -A | grep "uid=0"

# Review VPU-related kernel messages
adb shell dmesg | grep -i vpu

# Check for suspicious SELinux denials
adb shell cat /sys/fs/selinux/enforce

Behavioral Anomalies

• Unexpected battery drain during idle periods
• Unusual network traffic patterns, especially encrypted connections to unfamiliar endpoints
• Microphone or camera indicator activations without user-initiated apps
• Degraded device performance during media processing

Enterprise Monitoring

Organizations should implement:

• Mobile Threat Defense (MTD) platforms with firmware integrity checking
• Network traffic analysis for command-and-control communications
• Endpoint Detection and Response (EDR) solutions with Android support
• Regular firmware attestation using Android’s SafetyNet or Play Integrity APIs

Best Practices

Beyond immediate patching, organizations and users should adopt comprehensive mobile security strategies:

For Individual Users

• Enable automatic security updates to minimize exposure windows
• Exercise caution with unknown senders even though this attack requires no interaction
• Use verified communication channels for sensitive discussions
• Regular security audits of installed applications and permissions
• Consider device replacement when manufacturers discontinue security updates

For Enterprise Deployments

• Implement rigorous patch management with service-level agreements for update deployment
• Deploy mobile threat defense solutions across all managed devices
• Segment mobile device network access from critical infrastructure
• Maintain current device inventory to identify vulnerable populations quickly
• Establish incident response procedures specific to mobile compromise scenarios
• Consider hardware security keys for critical authentication workflows
• Regular security awareness training emphasizing zero-click threat landscape

For Developers and Manufacturers

• Enhanced firmware security review for hardware accelerator components
• Implement defense-in-depth for DMA-capable peripherals
• Minimize IOMMU permission grants following principle of least privilege
• Increase logging capabilities in firmware subsystems
• Participate in bug bounty programs to incentivize security research

Key Takeaways

• A sophisticated zero-click exploit chain targeting Pixel 10 devices achieves root access through VPU driver vulnerabilities
• The attack requires no user interaction, executing automatically during media processing operations
• The exploit chain combines firmware memory corruption, IOMMU misconfiguration exploitation, and kernel privilege escalation
• Google has released patches in the May 2024 security update; immediate installation is critical
• Hardware accelerator security represents an evolving challenge in mobile device protection
• Detection of firmware-level exploits requires specialized monitoring capabilities beyond traditional security solutions
• The sophistication suggests initial targeting of high-value individuals, but public disclosure increases broader risk
• Zero-click vulnerabilities fundamentally challenge user-centric security models, demanding vendor-side protections

This incident reinforces that mobile security extends far beyond application-layer protections. As smartphones incorporate increasingly complex specialized hardware, the attack surface expands into domains where traditional security tools have limited visibility. The responsibility for defense shifts heavily toward manufacturers, who must prioritize security throughout hardware and firmware development lifecycles.

References

• Google Android Security Bulletin – May 2024
• CVE-2024-XXXXX – VPU Driver Memory Corruption Vulnerability
• Android Security Team – “Hardware Accelerator Security Architecture”
• ARM TrustZone Documentation – IOMMU Configuration Best Practices
• Google Project Zero – “Examining Zero-Click Attack Surfaces on Android”
• MITRE ATT&CK Mobile – Technique T1427: Exploitation for Privilege Escalation
• NIST Special Publication 800-124 Rev. 2 – Guidelines for Managing the Security of Mobile Devices

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/