Google Moves Pixel 10 Modem DNS Parsing to Rust for Stronger Security

Google has updated the Pixel 10 modem firmware to use a Rust-based Domain Name System parser. The change aims to cut a common class of memory-safety bugs that have long plagued modem software, reducing overall security risk by mitigating threats, vulnerabilities, and exploits. Google said the move reduces security risk in a sensitive area and paves the way for more memory-safe code in core device components.

Why DNS and why Rust

Google chose DNS because it is central to modern cellular services. “With the evolution of cellular technology, modern cellular communications have migrated to digital data networks; consequently, even basic operations such as call forwarding rely on DNS services,” Google said. The company added that DNS code written in memory-unsafe languages can expose devices to out-of-bounds memory accesses and other vulnerabilities, citing CVE-2024-27227 as an example of that risk.

Jiacheng Lu, a software engineer on the Google Pixel Team, framed the change bluntly. “The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area,” Lu said. “It also lays the foundation for broader adoption of memory-safe code in other areas.”

Technical choices and engineering work

Google selected the Rust crate hickory-proto as the starting point. The crate offers a DNS client, server, and resolver. Google modified it to run in bare-metal and embedded environments where typical Rust dependencies may not apply. The company also used a custom tool called cargo-gnaw to manage and maintain more than 30 dependencies pulled in by the crate, Google noted.

The team did not simply replace C with Rust and stop there. Google declared the DNS response parsing API in C and then implemented the same API in Rust. “The Rust function returns an integer standing for the error code,” Google said. The parsed DNS answers must be converted into in-memory data structures already used by the modem. To do that, the Rust code calls existing C functions to update those structures. Google described this as a hybrid approach that preserves the modem’s C runtime while making parsing memory-safe.

Google also acknowledged trade-offs. The hickory-proto crate was not optimized for systems with tight memory budgets. The company suggested one path forward is to add feature flags to the crate so builds include only the functionality required for the modem. That approach would cut code size by compiling out unneeded modules.

How this fits into Google’s broader security work

The Rust DNS parser builds on other hardening efforts inside Google’s modem team. In late 2023 Google highlighted the role of Clang sanitizers such as Overflow Sanitizer and BoundsSanitizer to catch undefined behavior during execution. The company has also documented protections against 2G exploits and attacks that try to use memory-safety flaws like buffer overflows to achieve remote code execution.

Google reported that its steady adoption of Rust into Android and low-level firmware has been effective. In November 2025 Google said that memory safety issues dropped to below 20 percent of total vulnerabilities discovered in the mobile operating system the prior year. That number is one of the reasons Google views memory-safe languages as a strategic defense, rather than a niche experiment.

What users should expect

For Pixel 10 owners, the change should reduce the chances of remote attacks that exploit DNS parsing bugs in the modem. For the industry, Google is offering a working example of how to migrate critical network code toward memory safety without rewriting an entire stack. “It is a pragmatic step that brings immediate risk reduction while preserving existing integrations,”