Pixel 10 VPU bug exposed kernel memory in five lines
Google Project Zero identified a critical zero-click exploit chain affecting Pixel 10 devices, stemming from vulnerabilities in the Dolby UDC exploit and a new driver for the Chips&Media Wave677DV video processing unit (VPU). The VPU vulnerability, which allows mapping significant portions of physical memory into userspace and potentially overwriting kernel functions, was patched in the February Pixel security bulletin, 71 days after discovery.
Key Takeaways
- The flaw sat in the Pixel 10 /dev/vpu driver for the Chips&Media Wave677DV VPU on Tensor G5.
- The mmap handler used remap_pfn_range based on VMA size, not the actual register-region size.
- By requesting a larger mmap, userspace could map physical memory beyond the VPU registers, including the kernel image.
- Project Zero said arbitrary read-write on the kernel took 5 lines of code and a full exploit took less than a day.
- Android VRP rated the issue High severity and patched it 71 days after report, in the February Pixel security bulletin.
Why It Matters
This is a straightforward kernel-memory exposure in a Pixel 10 media driver: the bug let userspace map physical memory well past the VPU register block, including kernel .text and .data. For Android’s driver stack, it shows that security-sensitive hardware interfaces can still ship with simple bounds-checking mistakes. The patch timeline is also notable: Android VRP rated it High severity and fixed it in 71 days, faster than the earlier BigWave issue on Pixel 9. Watch for whether other Tensor G5 device drivers get similar close audits after this report.
Read full article at projectzero.google