A 0-click exploit chain for the Pixel 9, part 1: Decoding Dolby (projectzero.google)

Researchers from Google Project Zero have unveiled a concerning 0-click exploit chain targeting the Google Pixel 9, focusing on vulnerabilities within the Dolby Unified Decoder. This exploit leverages the way incoming audio attachments in Google Messages are automatically decoded without user interaction, effectively expanding the attack surface for malicious actors. The first part of their findings highlights CVE-2025-54957, which allows attackers to execute arbitrary code in the mediacodec context. By exploiting the lack of proper limits on audio payload sizes in the decoding process, attackers can manipulate memory allocation and potentially take control of the device without any user action. This research is significant as it exposes potential security flaws in widely used Android devices, impacting a large segment of users. The ability to execute code with no user interaction raises alarms about the effectiveness of current Android security measures and emphasizes the need for better remediation strategies for media and driver vulnerabilities. The project highlights not only a critical security threat but also aims to educate the security community on the nature of these attacks and the areas where Android's defenses may fall short, paving the way for improved mobile security practices moving forward. Further installments in the series will explore privilege escalation and preventive measures.