top of page
Search

Pixel 9's Zero-Click Exploit Chain: Breaching the Kernel

  • Jan 19
  • 2 min read

Key Findings


  • Researchers from Google Project Zero have discovered a comprehensive "zero-click" exploit chain targeting the Google Pixel 9 smartphone.

  • The exploit chain spans from remote code execution during media decoding to the ultimate compromise of the kernel.

  • The vulnerabilities were patched in the security updates released on January 5, 2026.


Background


  • The pivotal shift in recent years lies in the propensity of "intelligent" smartphone features to preemptively analyze the content of incoming messages.

  • Specifically, Google Messages may autonomously decode audio attachments received via SMS and RCS to facilitate transcription without user intervention.

  • As a result, audio decoders, including those utilized only sporadically, emerge as high-risk zero-click vectors across a vast plurality of Android devices.


Vulnerability in Dolby Unified Decoder


  • The initial stage of the exploit chain involves the Dolby Unified Decoder (UDC), a library for Dolby Digital and Dolby Digital Plus (AC-3 and EAC-3) frequently embedded within manufacturer firmware.

  • Project Zero demonstrates how a vulnerability designated as CVE-2025-54957, residing in the processing of metadata (EMDF), facilitates memory corruption.

  • This breach culminates in code execution within the mediacodec context—a supposedly isolated process dedicated to media decoding on the Pixel 9.


Escape from mediacodec Sandbox


  • In the second installment of their findings, Project Zero describes how they traversed from the mediacodec environment to the /dev/bigwave driver—responsible for AV1 acceleration on the Pixel chipset.

  • By exploiting CVE-2025-36934, they successfully bypassed existing restrictions to obtain kernel-level primitives.


Remediation Timeline Disparities


  • The UDC vulnerability was disclosed to Dolby on June 26, 2025, with public revelation occurring on October 15, 2025.

  • While Samsung reportedly deployed a patch by November 12, 2025, the Pixel received its update only on January 5, 2026.

  • This implies the flaw remained public and unresolved on Pixel devices for dozens of days.

  • Accelerating updates for third-party components like UDC remains complex, as the library is not integrated into system-level update mechanisms such as APEX.


Sources


  • https://securityonline.info/the-pixel-9-zero-click-exploit-chain-that-breaks-the-kernel/

  • https://gbhackers.com/zero-click-exploit-chain-discovered-targeting-google-pixel-9-devices

  • https://cyberpress.org/project-zero-zero-click-exploit-pixel-9

  • https://app.daily.dev/posts/a-0-click-exploit-chain-for-the-pixel-9-part-1-decoding-dolby-nrcxllz0p

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page