Back to Intelligence

CVE-2025-54957: Google Pixel 10 Zero-Click Exploit Chain — Defense and Remediation Guide

SA
Security Arsenal Team
May 13, 2026
5 min read

A critical zero-click exploit chain targeting the Google Pixel 10 has been detailed by security researchers, confirming that the barrier to entry for full device compromise remains alarmingly low. The chain leverages CVE-2025-54957, a vulnerability within the Dolby audio codec library, which was patched by Google in the January 2026 Android Security Bulletin. However, the adaptation of this exploit specifically for the Pixel 10 architecture—updating memory offsets from the previous Pixel 9 chain—demonstrates the persistence of this threat vector.

For defenders, this is not merely a theoretical exercise. This is a confirmed path to root privileges requiring no user interaction (zero-click). A maliciously crafted audio file processed by the device could trigger the exploit. If your organization manages Pixel 10 fleets, you must assume that unpatched devices are actively vulnerable to sophisticated interception or data theft.

Technical Analysis

  • Affected Products: Google Pixel 10 (and potentially other Android devices utilizing the vulnerable Dolby library versions prior to the Jan 2026 patch).
  • CVE Identifier: CVE-2025-54957 (Dolby component vulnerability).
  • Attack Vector: Zero-click. The exploit is triggered by processing a malformed audio stream or file via the Dolby codec.
  • Mechanism: The vulnerability resides in how the Dolby library handles specific data structures (syncframes). By calculating precise memory offsets specific to the Pixel 10's libraries, attackers can corrupt memory to achieve arbitrary code execution.
  • Impact: The chain escalates from the media server context (often isolated) to full root access on the Android operating system, effectively bypassing the device's sandboxing and security model.
  • Exploitation Status: Proof-of-Concept (PoC) code has been detailed. The vulnerability was patched in January 2026. Active exploitation in the wild is a high likelihood given the "zero-click" nature and the value of such exploits to advanced threat actors.

Detection & Response

Detecting zero-click exploits on mobile endpoints is notoriously difficult because the initial trigger mimics legitimate traffic (audio processing). However, post-exploitation behaviors provide observable signals.

When CVE-2025-54957 is exploited successfully, the attacker transitions from a compromised media process to a root shell. This often results in anomalous process spawning (e.g., the mediaserver or codec process spawning a shell) or unexpected network connections initiated by system-level binaries that typically do not communicate externally.

The following detection rules focus on these post-exploitation anomalies rather than the difficult-to-detect initial trigger.

YAML
---
title: Suspicious Shell Spawn from Media Services - Pixel 10 Exploit
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects media server or codec processes spawning a shell (sh/su), a common indicator of successful local privilege escalation on Android.
references:
  - https://projectzero.google/2026/05/pixel-10-exploit.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: android
detection:
  selection:
    ParentImage|contains:
      - '/media'
      - '/dolby'
      - 'codec'
    Image|endswith:
      - '/sh'
      - '/su'
  condition: selection
falsepositives:
  - Legitimate developer debugging on test devices
level: high
---
title: Anomalous Network Connection from System Binaries
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects network connections initiated by system binaries that are typically passive or local-only, potentially indicating a backdoor established via root exploit.
references:
  - https://projectzero.google/2026/05/pixel-10-exploit.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: android
detection:
  selection:
    Image|contains:
      - '/system/bin'
    Initiated: 'true'
  filter_legit:
    Image|contains:
      - '/system/bin/wpa_supplicant'
      - '/system/bin/dnsmasq'
  condition: selection and not filter_legit
falsepositives:
  - Rare OS update checks or specific carrier services
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for anomalous process execution patterns related to the Pixel 10 exploit chain
// Focuses on Media processes spawning shell commands (sh/su)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath has "media" 
   or InitiatingProcessFolderPath has "dolby" 
   or InitiatingProcessFolderPath has "codec"
| where ProcessVersionInfoOriginalFileName in~ ("sh", "su") 
   or FileName in~ ("sh", "su")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessFolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for media processes spawning shells, indicative of CVE-2025-54957 exploitation
-- Looks for process parent-child relationships involving media codecs and shells
SELECT Parent.Name AS ParentProcess, Parent.Pid AS ParentPid, Name AS ChildProcess, Pid, CommandLine, Username
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Ppid
WHERE Parent.Name =~ "mediaserver"
   OR Parent.Name =~ "dolby"
   OR Parent.Name =~ "codec"
WHERE Name =~ "sh"
   OR Name =~ "su"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Verification Script for CVE-2025-54957 (Pixel 10)
# Checks the Android Security Patch Level against the Jan 2026 fix

# Get current security patch level
PATCH_LEVEL=$(getprop ro.build.version.security_patch)
REQUIRED_DATE="2026-01"

echo "Checking Android Security Patch Level..."
echo "Current Level: $PATCH_LEVEL"
echo "Required Level: $REQUIRED_DATE or later"

# Compare dates (Assumes standard YYYY-MM format)
if [[ "$PATCH_LEVEL" > "$REQUIRED_DATE" ]] || [[ "$PATCH_LEVEL" == "$REQUIRED_DATE" ]]; then
    echo "[PASS] Device appears to be patched against CVE-2025-54957."
    exit 0
else
    echo "[FAIL] Device is VULNERABLE."
    echo "Action: Apply the latest Android Security Update immediately."
    exit 1
fi

Remediation

  1. Apply Security Patches Immediately: Google addressed the underlying Dolby vulnerability in the January 2026 Android Security Bulletin. Ensure all Pixel 10 devices are updated to the latest available security patch level, specifically checking that the patch date is 2026-01-01 or later.
  2. Verify Patch Installation: Use the provided Bash script or your Mobile Device Management (MDM) solution to query ro.build.version.security_patch across your fleet to confirm 100% compliance.
  3. Vendor Advisory: Refer to the Google Pixel Security Bulletin for January 2026 for specific firmware build numbers for the Pixel 10.
  4. Monitor for IOCs: Even after patching, scan device logs for the process anomalies described in the Detection section to rule out historical compromise or failed exploitation attempts.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuregoogle-androidcve-2025-54957pixel-10

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action