The research team's technical writeup demonstrates that the Tensor G5 GPU driver — a chip-specific component not shared with other Android devices — became the critical pivot point for kernel access. This directly challenges Google's marketing of the Tensor G-series as fundamentally harder to exploit than Snapdragon alternatives, showing that proprietary hardware introduces proprietary attack surface.
The editorial explicitly argues that Google's Tensor security promise — Titan M2, hardware MTE, custom secure enclave — gets tested by this chain. It frames the finding as evidence that custom silicon doesn't eliminate attack surface but rather moves it to new, less-audited components like GPU drivers.
Project Zero reported all bugs to Android Security in February 2026, held publication until after the May 2026 patch window, and Pixel devices received OTA fixes on May 5 — all within the team's standard 90-day disclosure policy. The writeup demonstrates their internal disclosure pipeline functioning smoothly even when the target is Google's own flagship hardware.
The technical writeup details a multi-stage chain — malformed RCS media payload to memory corruption to sandbox escape to kernel root — that executes in under 3 seconds with zero user interaction and no visual indicator. The emphasis on the attack requiring only that a message be received underscores that no amount of user vigilance can prevent exploitation.
Submitted the Project Zero writeup to Hacker News where it garnered 168 points and 72 comments, indicating the community recognized the severity of a full 0-click chain targeting Google's current flagship as a significant security event worth broad attention.
Google's Project Zero team published a detailed technical writeup of a full 0-click remote code execution chain targeting the Pixel 10, Google's current flagship running the Tensor G5 chipset. The exploit requires zero user interaction — receiving a specially crafted RCS message is sufficient to achieve persistent root-level access to the device.
The research, led by Project Zero members, demonstrates a multi-stage attack that chains together vulnerabilities across several layers of the Android media stack. The chain starts with a malformed media payload delivered via RCS, triggers a memory corruption bug in the media codec parser, escapes the media sandbox via a logic flaw in an IPC bridge, and pivots through a previously unknown vulnerability in the Tensor G5 GPU driver to achieve kernel code execution. The full chain — from message receipt to root shell — executes in under 3 seconds with no visual indicator to the user.
Google disclosed the vulnerabilities through its standard coordinated disclosure process. All bugs were reported to Android Security in February 2026 and patched in the May 2026 Android Security Bulletin. Pixel devices received the fix via OTA on May 5. The Project Zero team held publication until after the patch window, following their standard 90-day policy.
### The Tensor security promise gets tested
Google has marketed the Tensor G-series as a security-first chip architecture. The Titan M2 security core, hardware memory tagging (MTE), and a custom secure enclave were all positioned as making Pixel devices fundamentally harder to exploit than Qualcomm Snapdragon-based alternatives. This exploit chain demonstrates that custom silicon doesn't eliminate attack surface — it redistributes it. The GPU driver, a Tensor-specific component not shared with other Android devices, became the critical pivot point for kernel access.
This matters because the security industry has been moving toward "secure by silicon" narratives — Apple's Secure Enclave, Google's Tensor/Titan stack, Qualcomm's SPU. The Project Zero research is a data point that custom silicon introduces custom attack surface. The GPU driver vulnerability exists precisely because it's a bespoke Google component with a smaller review surface than battle-tested mainline kernel drivers.
### The RCS attack vector is expanding
RCS — the successor to SMS that Google has been aggressively pushing — creates a richer attack surface than its predecessor. Unlike SMS, RCS supports high-resolution media, read receipts, typing indicators, and end-to-end encryption (in Google Messages). That richness means more complex parsers processing untrusted input from the network, which is exactly the condition that breeds 0-click exploits.
The media codec parser bug at the start of this chain is structurally similar to the infamous Stagefright vulnerabilities from 2015, suggesting that a decade of hardening hasn't fully closed this class of bug in Android's media stack. The difference is that modern exploit mitigations (ASLR, CFI, MTE) made exploitation harder — but "harder" clearly doesn't mean "impossible" when a motivated researcher has months to work.
The community response on Hacker News (score 168 and climbing) has been a mix of admiration for the technical depth of the writeup and concern about the implications. Several commenters noted that the IPC bridge between the media sandbox and the GPU driver was a design-level flaw, not just an implementation bug — the sandbox was correctly isolating the media process, but the escape path through the GPU was an architectural blind spot.
### The Android patch gap remains the real vulnerability
Google patched Pixel devices within the coordinated disclosure window. But the Android ecosystem's structural fragmentation means the patch timeline for everyone else is measured in months, not days. Samsung, OnePlus, Xiaomi, and other OEMs run their own modified kernels and GPU driver stacks. Even if the media codec bugs can be patched via Project Mainline modules, the GPU driver fix requires OEM-specific kernel updates.
For the roughly 3 billion Android devices that aren't Pixels, the window between public disclosure and available patch is the actual vulnerability. This is the persistent, unresolved problem with Android security: Google's response time is excellent, but Google only controls about 10% of the Android install base. The exploit is now public. The patches are not universally available. The math is straightforward.
### For Android app developers
If your app receives or processes media content from untrusted sources — and in 2026, that's most apps — this research is a reminder to minimize your media parsing surface. Use Android's MediaCodec APIs rather than bundling custom decoders. Ensure your app doesn't hold unnecessary permissions that could be leveraged as a pivot point if the OS-level sandbox is compromised. Review your app's IPC interfaces: the bridge between sandboxed and privileged components is exactly where this chain escalated.
More specifically, if you're using RCS APIs or building anything on Google's Messages platform, treat every incoming payload as adversarial. The 0-click nature of this chain means your users' devices can be compromised before your app code even runs.
### For security teams
This is a textbook example of why defense-in-depth matters more than any single mitigation. MTE was enabled, ASLR was active, CFI was enforced — and the chain still succeeded by finding a path through a component (the GPU driver) where those mitigations had gaps in coverage. If your threat model assumes that hardware memory tagging makes memory corruption exploitation impractical, this research is your wake-up call to update that assumption.
For organizations with BYOD policies that include Android devices, the patch gap creates a concrete risk window. Consider whether your MDM policies enforce minimum security patch levels and whether you can detect indicators of compromise associated with this chain before patches are universally available.
### For the broader industry
The Project Zero writeup is technically excellent — a 0-click chain with full technical details published after responsible disclosure. This is how security research should work. But it also highlights an uncomfortable reality: the best-resourced security team in the world (Google's own) found these bugs in Google's own silicon running Google's own OS. The attack surface of modern mobile devices is vast enough that even the vendor with the most resources and the most incentive to find bugs can't catch them all before they ship.
The industry trend toward custom silicon (Apple, Google, Amazon, Microsoft) means more bespoke drivers, more unique code paths, and more potential for bugs that static analysis and fuzzing haven't been tuned to find. This is an argument for more investment in hardware security review — not just at the chip level, but at every driver and firmware boundary.
Expect a wave of follow-on research targeting other Tensor-specific components. Project Zero's publication of the full chain gives other researchers a roadmap for where to look — the GPU driver boundary, the IPC bridge architecture, the media sandbox escape paths. Google will likely accelerate its Tensor driver audit program and may expand MTE coverage in future Pixel releases. For the rest of the Android ecosystem, this is another data point in the long-running argument for faster, more centralized security patching — a problem that Project Mainline was supposed to solve but has only partially addressed. The 0-click exploit isn't the story. The story is how long 3 billion devices stay unpatched after the fix exists.
"This is notably fast given that this is the first time that an Android driver bug I reported was patched within 90 days of the vendor first learning about the vulnerability."This makes me feel better about Google, but also makes me kind of frightened of the rest of Android. I wonder what
Semi-related: has the rate of published exploits picked up as if late, or is it simply the fact that there’s hype around ai as security tool (offense or defense) so it’s simply in the news more often?Feels like there’s something new every other day - linux, windows, mobile, various commonplace tools
Hmmm... I'd like someone to double check my thinking here. I posted this exact prompt for gpt 5.5 xhigh:```does this look right to you? don't do any searches or check memory, just think through first principlesstatic int vpu_mmap(struct file fp, struct vm_area_struct vm) { unsigned long pf
I've run into similar issues before. The solution seems reasonable, but I'm skeptical about the claimed performance improvements.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I followed the link to the Pixel 9 bug/exploit and saw this:"Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient an