Google has disclosed a serious zero-click vulnerability affecting the Pixel 10 series, saying the issue could be used to gain kernel read/write access with just five lines of code. The company says the flaw has already been fixed, but the technical details make it clear how dangerous the bug could have been if attackers had weaponized it at scale.
According to Google, the problem was rooted in a pointer corruption issue in the Pixel 10 kernel. The vulnerability was found by Android Security Team researchers Jann Horn and Kevin Stadmeyer and is tracked as CVE-2026-6723. The company described it as a zero-click issue because it could be triggered remotely without the target user needing to tap a link, open a file, or otherwise interact with the attacker.
Google said the exploit path involved the phone’s RCS message-processing pipeline. In the proof-of-concept chain, a maliciously crafted RCS message could be received and processed automatically. From there, the bug made it possible to corrupt a critical kernel pointer, opening the door to unauthorized memory access inside the operating system.
The company also shared an especially striking detail: researchers were able to demonstrate the key exploit stage using only five lines of code. That does not mean real-world attack infrastructure would be equally small, but it does underline how little room for error exists when a kernel-level bug can be driven so efficiently once the right conditions are met.
Google says the issue has now been patched in its latest security rollout, and affected users should install updates as soon as they become available for their devices. As with many modern mobile threats, the risk is highest when a vulnerability combines remote reach, silent triggering, and deep system privileges. This case touched all three.
For everyday users, the practical takeaway is simple: keep system updates enabled, install Android security patches promptly, and avoid delaying carrier or OEM updates when a major security fix is released. For the broader industry, the incident is another reminder that messaging stacks and background parsers remain high-value attack surfaces, especially when they can process complex content before a user even sees it.
At this point, Google has not said that the flaw was actively exploited in the wild before the patch became available. Even so, public disclosure of a bug this powerful is likely to draw close attention from mobile security researchers, enterprise defenders, and competing device vendors alike.
