May 15, 2026
Your phone called—it’s haunted
A 0-click exploit chain for the Pixel 10
Pixel 10 security scare has commenters joking, panicking, and dragging Android
TLDR: Researchers say an unpatched Pixel 10 could be taken over without the user doing anything, thanks to a chain of serious flaws. Commenters were split between praising the clear report, roasting Google and Android security, and spiraling over whether AI is making these discoveries happen faster.
The big reveal here is downright nightmare fuel for anyone who thought a shiny new phone meant safer internals: researchers say they could turn a zero-click bug — meaning the victim doesn’t even have to tap anything — into full control of a Pixel 10 on older, unpatched software. In plain English, that means a bad actor could potentially go from “sending something sneaky” to owning the phone at its deepest level. And the comments? Absolute alarm bells mixed with popcorn energy.
One of the strongest reactions was pure fear: people were stunned that such a devastating flaw seemed so simple to find. One commenter basically said the write-up was so clear that even a non-expert could follow it, which is both a compliment and a terrifying plot twist. Another mood dominating the thread: is Google actually doing okay here, or is the rest of the industry just worse? A commenter praised the fix arriving within 90 days, then immediately turned that into a horror movie question about what that says for everyone else — and even dragged Apple into the group chat.
Then came the hot takes. GrapheneOS got a shoutout as the cool overachiever, with one commenter snarking that it somehow achieves strong security on the same hardware where Google missed a basic safety measure. And of course, because it’s 2026, AI entered the drama too: multiple commenters wondered whether we’re seeing more scary bugs because AI is helping people find them — or whether the internet is just louder about every exploit now. The vibe of the thread is basically: great bug report, terrible news, no one is sleeping tonight.
Key Points
- •The article describes adapting a previously published zero-click-to-root exploit chain from Pixel 9 to Pixel 10.
- •The Dolby exploit for CVE-2025-54957 was updated for Pixel 10 by changing target offsets and replacing the overwrite target because Pixel 10 uses RET PAC.
- •The prior BigWave-based privilege-escalation step could not be used on Pixel 10 because the BigWave driver is not present on that device.
- •The authors and Jann Horn identified a severe flaw in the Pixel 10 VPU driver exposed at /dev/vpu for Chips&Media Wave677DV hardware on Tensor G5.
- •According to the article, the VPU driver's mmap implementation can map arbitrary physical memory into userspace, enabling access to and modification of the kernel image on unpatched devices.