Key Findings

• Researchers from Google Project Zero have discovered a comprehensive "zero-click" exploit chain targeting the Google Pixel 9 smartphone.

• The exploit chain spans from remote code execution during media decoding to the ultimate compromise of the kernel.

• The vulnerabilities were patched in the security updates released on January 5, 2026.

Background

• The pivotal shift in recent years lies in the propensity of "intelligent" smartphone features to preemptively analyze the content of incoming messages.

• Specifically, Google Messages may autonomously decode audio attachments received via SMS and RCS to facilitate transcription without user intervention.

• As a result, audio decoders, including those utilized only sporadically, emerge as high-risk zero-click vectors across a vast plurality of Android devices.

Vulnerability in Dolby Unified Decoder

• The initial stage of the exploit chain involves the Dolby Unified Decoder (UDC), a library for Dolby Digital and Dolby Digital Plus (AC-3 and EAC-3) frequently embedded within manufacturer firmware.

• Project Zero demonstrates how a vulnerability designated as CVE-2025-54957, residing in the processing of metadata (EMDF), facilitates memory corruption.

• This breach culminates in code execution within the mediacodec context—a supposedly isolated process dedicated to media decoding on the Pixel 9.

Escape from mediacodec Sandbox

• In the second installment of their findings, Project Zero describes how they traversed from the mediacodec environment to the /dev/bigwave driver—responsible for AV1 acceleration on the Pixel chipset.

• By exploiting CVE-2025-36934, they successfully bypassed existing restrictions to obtain kernel-level primitives.

Remediation Timeline Disparities

• The UDC vulnerability was disclosed to Dolby on June 26, 2025, with public revelation occurring on October 15, 2025.

• While Samsung reportedly deployed a patch by November 12, 2025, the Pixel received its update only on January 5, 2026.

• This implies the flaw remained public and unresolved on Pixel devices for dozens of days.

• Accelerating updates for third-party components like UDC remains complex, as the library is not integrated into system-level update mechanisms such as APEX.

Sources

• https://securityonline.info/the-pixel-9-zero-click-exploit-chain-that-breaks-the-kernel/

• https://gbhackers.com/zero-click-exploit-chain-discovered-targeting-google-pixel-9-devices

• https://cyberpress.org/project-zero-zero-click-exploit-pixel-9

• https://app.daily.dev/posts/a-0-click-exploit-chain-for-the-pixel-9-part-1-decoding-dolby-nrcxllz0p