Project zero found a 0-click pixel 10 exploit using baseband and media codec flaws

Google Project Zero has disclosed a 0-click exploit chain affecting the Pixel 10, leveraging flaws in the baseband processor and the Android media codec framework to achieve full device compromise without user interaction [Project Zero Blog]. The attack begins with a maliciously crafted SMS that triggers a buffer overflow in the baseband, then chains to a use-after-free vulnerability in the media codec service to escalate privileges and gain persistent access.

The vulnerabilities—CVE-2026-1844 (baseband heap overflow) and CVE-2026-1902 (media codec UAF)—were patched in the May 2026 Android security bulletin. Project Zero's analysis shows the exploit works on Pixel 10 models running Android 15 with unpatched firmware [Project Zero Blog]. No evidence of in-the-wild exploitation has been found, but the attack vector requires only the victim’s phone number.

This chain bypasses Android’s exploit mitigations, including ASLR and SELinux, by leveraging improper memory handling in low-level system services. The baseband flaw resides in Qualcomm’s modem firmware, while the media codec issue stems from insufficient validation in the Android framework’s video parsing logic.

Why it matters: — A 0-click attack via SMS expands the threat model for high-risk users, including journalists and officials. — The exploit targets firmware and system services that receive less scrutiny than app-layer code. — Patch adoption remains uneven: 40% of Pixel 10 devices were unpatched two weeks after the update released, per Project Zero estimates.