In the space of a single week in May 2026, two of the most consequential security disclosures of the year landed. Google’s Project Zero published a full zero-click exploit chain achieving root on the Pixel 10. Days later, researchers at Calif demonstrated the first public kernel memory corruption exploit on Apple’s M5 silicon, bypassing the much-vaunted Memory Integrity Enforcement (MIE) that Apple spent five years building.
Both attacks share a disturbing trait: they require no user interaction whatsoever. No phishing link. No malicious attachment. No dodgy app install. The device simply receives data and is compromised.
If your team builds web applications, mobile apps, or any software that processes untrusted input, these disclosures are not abstract. They are a blueprint for how modern attacks bypass every layer you thought was protecting you.
TL;DR
- Google Project Zero’s Pixel 10 zero-click chain exploited a Dolby audio flaw and a VPU driver mmap vulnerability to achieve root — with just five lines of exploit code for the privilege escalation stage.
- Calif researchers bypassed Apple’s M5 Memory Integrity Enforcement in five days using standard system calls, proving hardware mitigations are not absolute.
- Zero-click attacks are accelerating because attack surfaces have expanded: background media processing, push notification handlers, Bluetooth stacks, and AI inference pipelines all parse untrusted data without user action.
- Development teams must adopt a zero-trust input model: every parser, codec, and driver that touches external data is a potential zero-click entry point.
- Practical mitigations include sandboxing media processing, fuzzing all parsers, minimising kernel-exposed interfaces, and treating hardware security features as defence-in-depth rather than silver bullets.
The Pixel 10 Chain: Five Lines to Root
The Project Zero disclosure (CVE-2025-54957) is elegant in its brutality. The chain comprises two stages:
Stage one exploits a vulnerability in Dolby audio processing code. Because the Pixel processes incoming audio data automatically — think push notifications, RCS messages, media previews — no user interaction is needed. The researchers adapted their earlier Pixel 9 exploit, updating library offsets and circumventing the Pixel 10’s RET PAC protection by overwriting dap_cpdp_init initialisation code rather than targeting __stack_chk_fail.
Stage two is where it gets alarming. The Video Processing Unit (VPU) driver’s mmap handler failed to validate mapping size boundaries. This meant an attacker could map arbitrary physical memory into userland — including the entire kernel image. The privilege escalation required, in the researchers’ own words, “five lines of code” and less than a day of development.
The chain was reported in November 2025 and patched in the February 2026 security bulletin — a 71-day turnaround that, while improved over historical Android driver patches, still left every Pixel 10 user exposed for over two months.
The M5 Bypass: Five Days to Beat Five Years
Apple’s Memory Integrity Enforcement was supposed to be the answer. Built on ARM’s Memory Tagging Extension, MIE provides hardware-assisted memory safety at the kernel level. Apple publicly claimed it “disrupts every public exploit chain” against modern iOS and macOS.
The Calif team proved otherwise. Working on macOS 26.4.1 running on bare-metal M5 hardware with MIE fully enabled, they achieved a data-only kernel local privilege escalation — from an unprivileged user to root shell — using nothing more exotic than standard system calls.
The critical detail: they paired AI-assisted vulnerability discovery (using Mythos Preview) with human expertise and went from bug discovery to working exploit in five days. Apple spent five years building MIE. It took five days to break it.
This is not an indictment of Apple’s engineering. It is a reminder that no single mitigation layer is sufficient. Hardware security features buy you time and raise the cost of exploitation, but they do not eliminate the underlying vulnerability classes.
Why Zero-Click Is the New Normal
Zero-click exploits are not new — NSO Group’s Pegasus made the concept infamous. But what has changed is the sheer breadth of zero-click attack surface on modern devices and applications:
- Background media processing: Audio codecs, image decoders, and video transcoders all parse complex, untrusted data before the user sees anything. The Pixel 10 chain exploited exactly this.
- Push notification handlers: Rich push notifications parse HTML, images, and structured data server-side and client-side — all without a tap.
- Bluetooth and NFC stacks: Proximity-based protocols process data from nearby devices automatically.
- AI inference pipelines: On-device ML models ingest and process data streams continuously. As we covered in our piece on Chrome’s silent AI install, 4 GB of Gemini Nano now runs on devices parsing inputs with minimal user awareness.
- Message preview rendering: iMessage, RCS, WhatsApp, and Slack all render previews of links, images, and documents without requiring the recipient to open them.
Every one of these represents a code path that processes untrusted external input without user action. Every one is a zero-click attack surface.
What This Means for Development Teams
You might think this is a problem for Apple and Google’s platform security teams, not yours. That would be a mistake. If your application processes any form of untrusted input in the background — and nearly all applications do — the same principles apply.
1. Audit Your Background Processing Paths
Map every code path in your application that processes external data without explicit user action. This includes:
- Webhook handlers
- Background sync and data refresh
- Push notification payload parsing
- Image and document thumbnail generation
- Email attachment scanning
- API request body parsing
Each of these is a potential zero-click entry point. Treat them accordingly.
2. Sandbox Your Parsers
The Pixel 10 exploit succeeded because the Dolby audio codec ran with sufficient privileges to be useful as a first-stage exploit. Isolate media processing, file parsing, and data transformation into sandboxed processes with minimal privileges. If a parser is compromised, the blast radius should be contained.
On the web, this means using Web Workers for heavy parsing, Content Security Policy to limit execution contexts, and — where possible — WebAssembly sandboxes for complex data processing.
3. Fuzz Everything That Touches External Data
The VPU driver vulnerability was a classic bounds-checking failure — the kind that fuzzing catches reliably. If your application includes custom parsers, codecs, or data transformation logic, continuous fuzzing is not optional. Tools like AFL++, libFuzzer, and OSS-Fuzz exist precisely for this.
For web applications, consider fuzzing your API endpoints with tools like RESTler or Schemathesis. If your application accepts file uploads, fuzz the processing pipeline with malformed inputs.
4. Minimise Kernel and System-Level Exposure
The M5 exploit used standard system calls. The fewer system interfaces your application exposes or relies upon, the smaller your kernel attack surface. On Linux, use seccomp-bpf to restrict available syscalls. On containerised deployments, drop capabilities aggressively. In serverless environments, leverage the ephemeral nature of function execution as an inherent blast-radius limiter.
5. Treat Hardware Mitigations as Defence-in-Depth
The M5 bypass is a masterclass in why defence-in-depth matters more than any single control. MIE, ASLR, PAC, MTE — these are all valuable layers. But if your security model depends on any one of them being unbreakable, your security model is already broken.
Layer your defences: input validation, sandboxing, least privilege, monitoring, and rapid patching. No single layer needs to be perfect if the combination is robust.
The AI Acceleration Factor
Perhaps the most sobering detail from the M5 disclosure is the role of AI. The Calif team used Mythos Preview — an AI system — to assist in vulnerability discovery. This is not the first time we have seen AI accelerate exploit development (we covered the first AI-generated zero-day earlier this year), but the M5 case makes the trend undeniable.
When AI can help researchers find and exploit hardware-level vulnerabilities in days rather than months, the window between vulnerability introduction and active exploitation collapses further. This reinforces what we discussed in our piece on the collapsing exploit window: your patch cycle needs to be faster than ever, and your architecture needs to be resilient to unpatched vulnerabilities.
The Bottom Line
Zero-click exploits are not going away. They are getting cheaper, faster to develop, and broader in scope. The Pixel 10 and M5 disclosures are not anomalies — they are the new baseline.
For development teams, the lesson is clear: assume every input parser is a potential entry point, sandbox aggressively, fuzz continuously, and never rely on a single layer of defence. The attackers certainly do not.
At REPTILEHAUS, we help development teams build security into their architecture from the ground up — from threat modelling and secure code review to DevSecOps pipeline integration. If your team needs help reducing its attack surface, get in touch.
