Five Days to Zero-Day: When AI Accelerates Exploit Development, the Threat Model Changes Forever

Google's Project Zero just disclosed something that should change how every security team on Earth thinks about their threat model: a full privilege-escalation exploit chain for the Pixel 10, built from zero knowledge to full root access in startlingly compressed time. This is not a theoretical concern about what AI might do someday. This is a verified, disclosed, documented exploit chain that Google's own elite security team produced against their own flagship hardware. And the surrounding context from this week makes the implications impossible to ignore. If Project Zero can do this, every team with less capability and fewer scruples now has the same tool.

What Project Zero Actually Disclosed

Project Zero recently published a detailed writeup of a 0-click remote code execution chain that achieves full root access on the Pixel 10. The chain required just two vulnerabilities, which is unusually efficient for a modern flagship device.

The first was an updated version of a Dolby Unified Decoder exploit (CVE-2025-54957) that was originally used against the Pixel 9. Porting it to the Pixel 10 required adjusting memory offsets and working around the new RET PAC protection that replaced the older stack protector. Not trivial, but manageable for a team at this level.

The second vulnerability is where things get ugly. A new VPU driver on the Tensor G5 chip, accessible from the mediacodec sandbox, exposed a vulnerability that Project Zero researchers described as "the holy grail of kernel vulnerabilities". The driver's mmap handler let userspace map arbitrary physical memory by simply specifying a VMA size larger than the register region. Five lines of code gave them kernel arbitrary read/write. A full working exploit took less than a day.

The bug was reported November 24, 2025. It was patched 71 days later in the February 2026 Pixel security bulletin. That timeline, notably, was faster than previous Android driver fixes. Project Zero acknowledged this as "meaningful and positive change" in Android's triage pipeline.

The critical detail that connects this to the broader AI security conversation: this research sits inside a Project Zero body of work that has explicitly demonstrated AI-accelerated exploit development. The team's macOS vulnerability research, specifically the "Breaking the Sound Barrier" series by Dillon Franke, involved building privilege-escalation exploit code for macOS where the researchers acknowledged dramatic acceleration from AI assistance. The patterns, tooling, and methodology that enabled the Pixel 10 chain build on research where AI already reduced exploit development timelines from months to days.

Why This Changes Everything

Before AI-assisted exploit development, zero-day discovery required rare, specialized expertise. The talent pool was small. The time investment was measured in months. The barrier to entry was enormous. A working zero-day for a major platform cost between $100,000 and $2 million, and that price tag functioned as a natural filter on who could participate.

After AI-assisted exploit development, the economics invert. Anyone with an API key and a methodology can accelerate vulnerability research dramatically. The expertise bottleneck is being compressed in real time. A world-class team that can do in days what used to take weeks means a mediocre team can do in weeks what used to take months, if they could do it at all.

The Pixel 10 exploit targeted Google's own Tensor G5 chip, their own Titan security hardware, and their own Android build. If Google's hardware falls to research that can be dramatically accelerated, commodity hardware has no chance.

The VPU driver vulnerability itself is damning. It was found after just two hours of auditing by Project Zero researchers working in collaboration. The exact same developers who built the vulnerable BigWave driver on Pixel 9 built this driver, and the same class of bugs appeared five months later. This highlights a massive vulnerability loop: human developers are regressing and making the exact same mistakes across chip generations, while the adversary uses AI to audit and exploit that code in minutes.

And this is happening while the AI offensive security tooling landscape is exploding. Anthropic's Claude Mythos, released in preview, demonstrates autonomous zero-day identification across major systems. This is not a research paper about what might be possible. It is a product feature. OpenAI launched GPT-5.5-Cyber this week, a specialized model for "vetted security teams" that relaxes security constraints to enable malware analysis, vulnerability triage, and patch validation. xAI launched Grok Build, their agentic coding CLI, directly targeting the same developer security workflow. The tools that accelerate research are being commercialized simultaneously by every major lab.

The Threat Model Before and After

Here is the shift in plain terms.

Before AI-accelerated exploits: Nation-state adversaries with dedicated teams and nine-figure budgets dominated the zero-day market. Exploit development timelines were measured in months. A small number of actors could develop zero-days for major platforms. Market prices of $100,000 to $2 million limited who could afford them. The defensive advantage was real: patches could be developed and deployed faster than new exploit chains could be built.

After AI-accelerated exploits: Any actor with API access and basic cybersecurity understanding can accelerate their research. Exploit development timelines compress from months to days. A dramatically larger pool of actors can develop zero-days. Market prices will compress as supply increases, making exploits accessible to more threat actors. And the defensive disadvantage is now structural: patches still take 71 days in a best-case scenario, but AI-accelerated exploit development does not.

Let that sink in. Project Zero reported the VPU bug on November 24. The patch shipped in February. That is 71 days, and Project Zero called it "notably fast". Meanwhile, the exploit code itself took less than a day to write once the vulnerability was found. If AI cuts the discovery phase from months to days, the patch cycle cannot keep up. It was never designed to.

The Convergence That Makes This Existential

This is not happening in isolation. Four separate threads from this week alone converge on the same conclusion.

First, CTF competitions are becoming unwinnable for humans. Frontier AI models solve competition-level security challenges in seconds. The format that was supposed to identify and train the next generation of security talent is effectively broken. When AI solves in seconds what takes human teams days, that capability is not staying inside the competition environment. It is in production attack tools right now.

Second, Anthropic's Claude Mythos demonstrates autonomous zero-day identification as a product feature. This is for real. The capability to find vulnerabilities without human direction already exists in a commercial product. The containment is a policy choice, not a technical constraint.

Third, the trust infrastructure that organizations rely on to verify security is itself crumbling under AI pressure. EY was forced to retract a published study this week after external researchers discovered its conclusions were substantially fabricated by AI hallucination, complete with citations to nonexistent academic papers and fabricated data points. The pivot back to security is crucial here. If a Big Four consulting firm cannot catch AI errors in its own published research, legacy security teams have zero chance of parsing AI-optimized, obfuscated code paths in an exploit chain. The "clean code trap" is real: AI-generated output looks correct on the surface. Exploits generated with AI assistance will look like normal code, normal traffic, and normal behavior until they execute.

Fourth, AI systems are now evaluating other AI systems in ways that create cascading failures. AI job screeners prefer AI-written resumes, creating hiring loops where AI evaluates AI and humans get filtered out. The same dynamic applies to security tooling: AI-assisted vulnerability scanners flag AI-generated code differently than human-written code, and nobody has mapped the blind spots this creates.

What Organizations Need to Do Now

Accept that the exploit development timeline has collapsed. Five days is not the floor. It is a data point and the direction is toward hours, not weeks. Your patch cycle cannot exceed the development cycle, and right now it does.

Treat AI-assisted offensive capabilities as baseline threat modeling, not an edge-case scenario. If you are still running tabletop exercises where the adversary is a human team working on human timelines, you are modeling a world that no longer exists.

Build for detection rather than prevention. If exploits arrive faster than patches can ship, detection latency is the only operational metric that matters. Mean time to detect needs to be the KPI that gets executive attention, not mean time to patch.

Implement zero-trust architecture at the hardware level. The Pixel 10 chain exploited a VPU driver, and the BigWave driver before it, and the Qualcomm DSP driver before that. Context-specific hardware trust at the driver level is now a demonstrated liability across multiple chip generations and vendors.

Demand transparency from AI companies. GPT-5.5-Cyber launched this week for "vetted security teams". Who vets the teams? How long before similar capabilities are available to unvetted ones? Claude Mythos has autonomous zero-day discovery as a product feature, and its access is gated. These are policy choices, not technical constraints. Nothing prevents the same capability from being deployed without gating. The model weights exist. The architecture is understood. The replication timeline is measured in months, not years.

Monitor the CTF canary, but distinguish discovery from weaponization. Competitive security challenges are the leading indicator for discovery. When AI solves them in seconds, that capability is already weaponized. However, AI is now solving the engineering side of exploitation, writing complete working chains that bypass protections like RET PAC. The time between AI finding a bug and AI generating production exploits against real targets is effectively zero.

The Uncomfortable Truth About Dual-Use

Google Project Zero researched vulnerabilities in their own hardware, built a working exploit chain, and disclosed it responsibly. That is the best-case scenario. They are the best in the world at this, and the process got faster because the tooling got better.

GPT-5.5-Cyber exists. Claude Mythos has autonomous zero-day discovery as a feature. Grok Build is in beta. These tools are being commercialized by companies that are in a literal arms race to ship capabilities faster than each other. The "vetted security teams only" gating is a policy choice applied after the capability exists. The genie does not go back in the bottle because someone wrote a terms of service.

Frontier AI's destruction of the CTF format proves the capability is real and deployed. Models that can solve competition-level security challenges in seconds can be pointed at any target.

The same AI that accelerates defensive research, finding vulnerabilities to patch them, accelerates offensive research, finding vulnerabilities to exploit them. There is no asymmetric advantage. Both sides get faster equally. But "equally" means something different when one side has a 71-day patch cycle and the other has a five-day development cycle. Equality of acceleration produces inequality of outcome when the starting positions are different. The patch cycle is structurally slower than the exploit cycle, and AI widens the gap, it does not close it.

The Bottom Line

Project Zero went from zero-click to full root on a flagship device using research that builds directly on AI-accelerated vulnerability development. They are the best in the world at this, and the process got dramatically faster. Everyone else gets the same speedup, including the people who do not disclose responsibly.

The zero-day is no longer a nation-state weapon. It is becoming a commodity. The economics of exploitation have changed: development time has compressed, talent requirements have lowered, and supply is increasing.

Every security team that is still modeling threats on pre-AI timelines is modeling a world that no longer exists. Your defensive architecture needs to account for this, or it will be exploited by someone who already has.