One need not even open a missive or engage the “play” interface for a device to commence the background parsing of an attachment, all in the service of providing a seamless transcription or indexing for future retrieval. While ostensibly convenient, such automated functionalities inadvertently transmute mundane correspondence into a sophisticated attack surface. In this digital landscape, a transgressor often requires nothing more than the transmission of a meticulously crafted file.

Researchers from Google Project Zero have meticulously delineated a comprehensive “zero-click” exploit chain targeting the Google Pixel 9, spanning from remote code execution during media decoding to the ultimate compromise of the kernel. This three-part exposé illustrates how vulnerabilities in audio processing and hardware drivers can be coalesced into a scenario where the victim is spared from performing any action whatsoever. Project Zero notes that remediations for the vulnerabilities comprising this chain were integrated into the security updates disseminated on January 5, 2026.

The pivotal shift in recent years lies in the propensity of “intelligent” smartphone features to preemptively analyze the content of incoming messages. Specifically, Google Messages may autonomously decode audio attachments received via SMS and RCS to facilitate transcription without user intervention. Consequently, audio decoders—including those utilized only sporadically—emerge as high-risk zero-click vectors across a vast plurality of Android devices.

The initial stage of this chain involves the Dolby Unified Decoder (UDC), a library for Dolby Digital and Dolby Digital Plus (AC-3 and EAC-3) frequently embedded within manufacturer firmware. Project Zero demonstrates how a vulnerability designated as CVE-2025-54957, residing in the processing of metadata (EMDF), facilitates memory corruption. This breach culminates in code execution within the mediacodec context—a supposedly isolated process dedicated to media decoding on the Pixel 9.

However, the “sandbox” surrounding the media decoder does not necessarily halt the incursion. In the second installment of their findings, Project Zero describes how they traversed from the mediacodec environment to the /dev/bigwave driver—responsible for AV1 acceleration on the Pixel chipset. By exploiting CVE-2025-36934, they successfully bypassed existing restrictions to obtain kernel-level primitives.

Beyond the technical virtuosity, the researchers emphasized the “economics” of the assault. They estimate that developing the Dolby-based exploit required approximately eight man-weeks, while the driver-specific proof-of-concept demanded roughly three. Notably, this chain relied upon a mere pair of defects rather than a convoluted sequence of errors; thus, in practice, the security of the device hinges predominantly upon the velocity with which the ecosystem delivers patches to the end-user.

In the final segment, Project Zero highlights troubling discrepancies in remediation timelines. The UDC vulnerability was disclosed to Dolby on June 26, 2025, with public revelation occurring on October 15, 2025. While Samsung reportedly deployed a patch by November 12, 2025, the Pixel received its update only on January 5, 2026. This implies the flaw remained public and unresolved on Pixel devices for dozens of days. Accelerating updates for third-party components like UDC remains complex, as the library is not integrated into system-level update mechanisms such as APEX.

The pragmatic conclusion for owners of the Pixel 9 and other Android smartphones is as pedestrian as it is vital: verify the installation of the January 2026 security updates and ensure all applications involved in message and media processing are current. Furthermore, platform developers must exercise greater vigilance regarding how nascent “intelligent” features inadvertently expand the zero-click attack surface, while striving to minimize the repertoire of decoders and drivers accessible from remotely reachable contexts.

Related Posts:

• Researcher Details Zero-Click RCE in Dolby Audio Decoder Affecting Android, iOS, and macOS
• Dolby Vision 2 Arrives: A New Imaging Standard Promises “Beyond HDR” Quality
• CVE-2025-31115: XZ Utils Hit Again with High-Severity Multithreaded Decoder Bug
• Operation Zero Offers Millions for Telegram Zero-Click Exploits
• 7 Android & Pixel Vulnerabilities Exposed: Researcher Publishes PoC Exploits