Live

Intelligence Feed

Latest threat intelligence articles from trusted security sources, auto-processed to extract entities, IoCs, and TTPs.

Filtered by source: google-project-zero Clear filter
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens

1mo ago · google-project-zero

Google Project Zero discovered a 0-click exploit chain targeting the Google Pixel 10, leveraging a modified version of a previously known Dolby vulnerability (CVE-2025-54957) and a new kernel vulnerability in the VPU driver. The VPU driver exposes MMIO register mappings without proper bounds checking, allowing arbitrary physical memory mapping and kernel memory modification from userspace. This enables trivial privilege escalation to kernel code execution. The vulnerability was reported in November 2025 and patched in the February 2026 Pixel security bulletin, marking improved triage response from Android.

1 IoCs
Welcome to the new Project Zero Blog

6mo ago · google-project-zero

This article introduces the new Project Zero blog and highlights previously unpublished research on exploitation techniques. It references historical work on Windows race conditions and sandbox escape methods. The post emphasizes the ongoing relevance of zero-day vulnerabilities and the need for continued defensive improvements. No active threat activity or specific attacks are described.

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

5mo ago · google-project-zero

A 0-click exploit chain targeting Google Pixel 9 devices was developed by Project Zero to demonstrate the exploitation of a critical vulnerability in the Dolby Unified Decoder (CVE-2025-54957). The vulnerability allows arbitrary code execution in the mediacodec context via malicious audio attachments in SMS/RCS messages, which are automatically decoded without user interaction. The exploit leverages a buffer overrun and memory leak in the EMDF parsing logic to achieve code execution, bypassing Android security features such as ASLR and SELinux. The vulnerabilities were patched as of January 5, 2026.

5 IoCs
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

5mo ago · google-project-zero

A 0-click exploit chain targeting the Pixel 9 was demonstrated, leveraging a vulnerability in the BigWave kernel driver accessible from the mediacodec SELinux context. The exploit achieves kernel arbitrary read/write via a use-after-free (UAF) in the BIGO_IOCX_PROCESS ioctl handler, enabling sandbox escape and privilege escalation. The attacker can gain root privileges and disable SELinux, culminating in full device compromise. The exploit was integrated with a Dolby decoder vulnerability to form a complete attack chain.

2 IoCs
A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

5mo ago · google-project-zero

Google Project Zero uncovered a 0-click exploit chain targeting the Pixel 9, leveraging vulnerabilities in the Dolby UDC audio decoder and the BigWave kernel driver. The chain allowed remote code execution and privilege escalation with minimal bugs, highlighting weaknesses in Android's attack surface, driver security, and patching timelines. Despite responsible disclosure, patch deployment was delayed, leaving users exposed for months. The findings emphasize systemic issues in vulnerability prioritization, mitigation effectiveness, and vendor coordination across the Android ecosystem.

Bypassing Windows Administrator Protection

5mo ago · google-project-zero

A security researcher identified multiple vulnerabilities in Windows 11 25H2's new Administrator Protection feature, designed to replace User Account Control (UAC). One of nine discovered bypasses allowed silent escalation to full administrator privileges by exploiting lazy initialization of per-session DOS device directories, improper access checking during object creation, and token impersonation behaviors. The vulnerabilities were reported to Microsoft and addressed in updates, including optional update KB5067036, before the feature's official release. Administrator Protection was temporarily disabled in December 2025 due to application compatibility issues unrelated to the security flaws.

1 IoCs
Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

5mo ago · google-project-zero

A detailed technical analysis of exploiting CVE-2024-54529, a type confusion vulnerability in macOS's coreaudiod daemon, is presented. The exploit leverages uninitialized memory in the 'ngne' object and a heap manipulation technique using property lists to achieve arbitrary code execution. The attack involves crashing and restarting coreaudiod to reuse heap-sprayed data, ultimately enabling privilege escalation via a ROP chain.

1 IoCs
Bypassing Administrator Protection by Abusing UI Access

4mo ago · google-project-zero

A researcher discovered multiple bypasses for Windows Administrator Protection by exploiting UI Access, a feature designed to allow accessibility tools to interact with higher integrity processes. The bypasses leverage flaws in secure directory checks, repurposing legitimate UI Access executables, shared user profiles, insecure RPC handling, and access token manipulation. These techniques allow a limited user to silently elevate privileges and compromise administrator-level processes without consent prompts, undermining the security boundary intended by Administrator Protection.

2 IoCs
A Deep Dive into the GetProcessHandleFromHwnd API

4mo ago · google-project-zero

The article analyzes the evolution of the GetProcessHandleFromHwnd API in Windows, revealing security flaws that allowed privilege escalation and access to protected processes. Early versions used user-mode hooks, but a shift to kernel-mode handling in Windows 10 introduced a vulnerability enabling unrestricted process handle access when UIPI checks were bypassed. This was exploited to compromise protected processes like WerFaultSecure.exe, leading to CVE-2023-41772. Recent Windows 11 updates have mitigated the issue by enforcing stricter access checks and feature flags.

3 IoCs
On the Effectiveness of Mutational Grammar Fuzzing

4mo ago · google-project-zero

The article discusses the limitations of mutational grammar fuzzing, particularly in finding complex bugs that require specific function chaining, and highlights issues such as coverage not equating to bug discovery and lack of corpus diversity. The author demonstrates how these limitations affect fuzzing efficiency, especially in language-based targets like XSLT processors. A hybrid approach combining generative and mutational fuzzing with periodic worker restarts is proposed to improve bug discovery and sample diversity.