Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security

Summary

Google has integrated a Rust-based DNS parser into Pixel 10 modem firmware to reduce security risk by eliminating an entire class of memory-safety vulnerabilities in a critical attack surface. The implementation uses the 'hickory-proto' Rust crate and a custom 'cargo-gnaw' tool to manage dependencies in embedded environments. This marks the first Pixel device with memory-safe language in its modem and builds on Google's broader initiative to reduce memory-safety bugs in Android, which fell below 20% of total vulnerabilities in 2025.

Full text

Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security Ravie LakshmananApr 14, 2026Mobile Security / Network Security Google has announced the integration of a Rust-based Domain Name System (DNS) parser into the modem firmware as part of its ongoing efforts to beef up the security of Pixel devices and push memory-safe code at a more foundational level. "The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying the foundation for broader adoption of memory-safe code in other areas," Jiacheng Lu, a software engineer part of the Google Pixel Team, said. The security boost via Rust integration is available for Pixel 10 devices, making it the first Pixel device to integrate a memory-safe language into its modem. The move builds upon a series of initiatives the tech giant has taken to harden the cellular baseband modem against exploitation. In late 2023, it highlighted the role played by Clang sanitizers like Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan) to catch undefined behavior during program execution. A year later, it also detailed the various security measures built into the modem firmware to combat 2G exploits and baseband attacks that exploit memory-safety vulnerabilities like buffer overflows to achieve remote code execution. These security advances have been complemented by Google's steady adoption of Rust into Android and low-level firmware. In November 2025, the company revealed that the number of memory safety vulnerabilities fell below 20% of total vulnerabilities discovered in the mobile operating system last year. Google said it opted for the DNS protocol for its Rust implementation owing to the fact that it underpins modern cellular communications and that vulnerabilities in the system can expose users to malicious attacks when designed in a memory-unsafe language, resulting in out-of-bound memory accesses, as in the case of CVE-2024-27227. "With the evolution of cellular technology, modern cellular communications have migrated to digital data networks; consequently, even basic operations such as call forwarding rely on DNS services," it added. "Implementing the DNS parser in Rust offers value by decreasing the attack surfaces associated with memory unsafety." To that end, Google has chosen the "hickory-proto" crate, a Rust-based DNS client, server, and resolver, to implement the protocol, while modifying it to support bare metal and embedded environments. Another important component of this change is the use of a custom tool called "cargo-gnaw" to easily resolve and maintain more than 30 dependencies introduced by the crate. The internet company also noted that the DNS Rust crate is not optimized for use in memory-constrained systems, and that one possible code size optimization could be achieved by adding extra feature flags to ensure modularity and selectively compile only required functionality. "For the DNS parser, we declared the DNS response parsing API in C and then implemented the same API in Rust," Google said. "The Rust function returns an integer standing for the error code. The received DNS answers in the DNS response are required tobe updated to in-memory data structures that are coupled with the original C implementation;therefore, we use existing C functions to do it. The existing C functions are dispatched from the Rust implementation." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, cybersecurity, DNS, Firmware Security, Google, mobile security, network security, Rust Programming, secure coding, Vulnerability Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• cve — CVE-2024-27227

Entities