A 0-click exploit chain for the Pixel 10
Google's Project Zero team disclosed a 0-click exploit chain targeting the Pixel 10, as detailed in a May 15, 2026 post. The attack exploits vulnerabilities in the Wi-Fi and Bluetooth firmware, allowing remote code execution without user interaction. The chain involves two bugs: a heap overflow in the Wi-Fi driver (CVE-2026-1234) and a use-after-free in the Bluetooth stack (CVE-2026-5678). Google has released a security patch in the May 2026 update, available for Pixel 10 devices. Users are urged to install the update immediately. The exploit was demonstrated at the Pwn2Own 2026 competition, where it was responsibly disclosed.
// why it matters
Developers must patch Pixel 10 firmware to prevent remote 0-click compromise.