google-project-zero · Crawled Jul 5, 2026

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

5 IoCs
Read original article ↗

AI Summary

A 0-click exploit chain targeting Google Pixel 9 devices was developed by Project Zero to demonstrate the exploitation of a critical vulnerability in the Dolby Unified Decoder (CVE-2025-54957). The vulnerability allows arbitrary code execution in the mediacodec context via malicious audio attachments in SMS/RCS messages, which are automatically decoded without user interaction. The exploit leverages a buffer overrun and memory leak in the EMDF parsing logic to achieve code execution, bypassing Android security features such as ASLR and SELinux. The vulnerabilities were patched as of January 5, 2026.

AI-extracted · verify before operational use

Indicators of Compromise 5 extracted

Type Value Detail
Filename libcodec2_soft_ddpdec.so Details →
Filename longmem Details →
Filename 10_write_x0 Details →
Filename make_10_write_x0.py Details →
Filename combine_frames.py Details →