google-project-zero · Crawled Jul 5, 2026
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
5 IoCs
Read original article ↗
AI Summary
A 0-click exploit chain targeting Google Pixel 9 devices was developed by Project Zero to demonstrate the exploitation of a critical vulnerability in the Dolby Unified Decoder (CVE-2025-54957). The vulnerability allows arbitrary code execution in the mediacodec context via malicious audio attachments in SMS/RCS messages, which are automatically decoded without user interaction. The exploit leverages a buffer overrun and memory leak in the EMDF parsing logic to achieve code execution, bypassing Android security features such as ASLR and SELinux. The vulnerabilities were patched as of January 5, 2026.
AI-extracted · verify before operational use