Google Project Zero Demonstrates 0-Click Exploit Chain for Pixel 10

Google Project Zero has published a 0-click exploit chain targeting the Pixel 10, following its earlier Pixel 9 research. The work extends CVE-2025-54957 — a Dolby audio vulnerability patched in January 2026 — with a second-stage exploit to achieve root on the updated hardware, requiring no user interaction. The chain demonstrates that modern Android security mitigations can be circumvented with two carefully crafted exploits on current flagship hardware. This is defensive research: all findings were shared with Google prior to publication and patches are in progress. Pixel users should apply the May 2026 security update as soon as it becomes available.