IonStack Exploit Chain Achieves 1-Click Root on Android 17 via Browser and Kernel Zero-Days
A novel exploit chain named IonStack demonstrates a critical vulnerability in Android 17, allowing full device control with a single URL click by chaining two zero-day exploits.

Researchers at Nebula Security have unveiled "IonStack," a groundbreaking exploit chain that achieves complete control over Android devices through a single click on a malicious URL. This proof-of-concept, presented as the first public Android 17 root demonstration, chains two previously unknown zero-day vulnerabilities: one affecting the Firefox browser and another impacting the Linux kernel, which underpins the Android operating system.
The initial attack vector exploits a Firefox zero-day, present in all versions prior to 151.0.2. When a user clicks a specially crafted URL, this vulnerability compromises the browser's renderer process. This initial compromise is crucial as it provides the foothold necessary to pivot to the second, more critical vulnerability.
The second zero-day is a deeply embedded flaw within the Linux kernel, which has reportedly existed for approximately 15 years. This long-standing vulnerability allows attackers to escalate privileges from the confined browser sandbox to full kernel-level control over the device. By chaining these two exploits, attackers can bypass multiple layers of operating system security and sandboxing, effectively gaining administrative access.
Once kernel-level access is achieved, the implications are severe. Attackers can perform a wide range of malicious actions, including exfiltrating sensitive data, deploying surveillance tools, establishing persistent backdoors, and maintaining complete remote control over the compromised Android device. The exploit chain requires no further user interaction after the initial click, making it particularly dangerous.
Nebula Security attributes the discovery of both zero-day vulnerabilities to VEGA, their proprietary automated code scanning agent. The researchers highlighted VEGA's effectiveness, noting that it successfully identified a 15-year-old kernel bug that had evaded manual audits and other existing security tooling for over a decade. This underscores the persistent challenge of legacy code in widely deployed open-source components.
Browser-to-kernel exploit chains are considered among the most potent threats in mobile security due to their ability to bypass robust OS-level defenses with minimal user effort. The longevity of the Linux kernel flaw emphasizes how critical vulnerabilities can persist undetected in foundational software for extended periods, potentially affecting billions of devices.
Nebula Security has stated that the vulnerabilities were responsibly disclosed and have not been observed in the wild prior to their research. This positions IonStack as a defensive demonstration aimed at highlighting critical security gaps rather than an active, deployed threat campaign.
To mitigate this risk, users are strongly advised to update Firefox to version 151.0.2 or later immediately. Organizations should prioritize patch management for both browser and kernel components and consider integrating automated vulnerability scanning tools into their development pipelines to proactively detect such deep-seated flaws.