Today, Project Zero released a 0-click exploit chain for the Pixel 9.
Uncategorized
27
Posts
17
Posters
22
Views
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.
-
The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.
@natashenka rekttttt
-
The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.
The second bug, CVE-2025-36934, is a driver UaF which only affects the Pixel 9, but Project Zero has found many other bugs with similar impact affecting other devices over the past couple years.
-
The second bug, CVE-2025-36934, is a driver UaF which only affects the Pixel 9, but Project Zero has found many other bugs with similar impact affecting other devices over the past couple years.
Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.
-
Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.
We hope this flag makes it out of Clang experimental, and more vendors start using it!
-
Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.
IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.
-
We hope this flag makes it out of Clang experimental, and more vendors start using it!
IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.
-
IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
Supply-chain issues also played a role: both vulnerabilities were patched very slowly, due to a variety of factors including bug prioritization, licensing and communication between vendors.
-
Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.
@natashenka Quite the testimonial!
-
Supply-chain issues also played a role: both vulnerabilities were patched very slowly, due to a variety of factors including bug prioritization, licensing and communication between vendors.
Make sure to check out the full series here: https://projectzero.google/2026/01/pixel-0-click-part-1.html
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka Great research and thank you for the 3 part write-up! I had a couple questions.
- Would android advanced protection mode's have protected against some of this? E.g, the automatic transcription of incoming audio files?
- Would MTE have saved some useful roll in this on supporting Pixel phones? -
The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.
@natashenka wait, it transcribes them *by default* in the background? if so, that is an absolutely ridiculous attack surface to expose.
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
@natashenka There always seems to be so much pushback on removing functionality. While turning it into a 1-click would help some (especially if the sender isn't in your contacts!), I'd be more curious to see if it could be very tightly sandboxed. (And if not... why not? Tight sandboxing of media libraries with limited kernel attack surface seems like a platform primitive that is broadly useful.) Or cross compiled to wasm - performance of an edge case scenario shouldn't be a concern.
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka Can the Google Messages audio-parsing feature that is causing this be disabled? I did not consent to any "AI"/semantic content introspection being done by Google on ANYTHING on my phone, and have been trying to disable all such features as I find them (but of course software vendors constantly adding more such features and they are always on by default)
-
We hope this flag makes it out of Clang experimental, and more vendors start using it!
@natashenka That feels a lot like Microsoft's SAL: https://learn.microsoft.com/en-us/cpp/code-quality/using-sal-annotations-to-reduce-c-cpp-code-defects?view=msvc-170. The big question is, how do we ensure portability to multiple compilers. Could we standardize that, please?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
@natashenka I don't know that a single click matters, unless you design it well. See also https://infosec.exchange/@adamshostack/115884932482637376
-
@natashenka wait, it transcribes them *by default* in the background? if so, that is an absolutely ridiculous attack surface to expose.
@gsuberland @natashenka IIRC that was already the case with Stagefright, which was also very similar in that it targeted media libraries involved in MMS
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka using of #grapheneos on our pixel phone is a workaround / solution - right? 🤔😉
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@MissWarcraft @hpod16 the server you're on is currently the largest one on Mastodon, and thus probably the hardest one to moderate. When you have time, have a look at smaller servers - there are loads of them now - and pick one with a policy you like.
But Mastodon isn't really about hanging on your own server only. Use hashtags to find those conversations and users you want to follow. I rarely if ever look at the posts on my own server, let alone the global feed (or whatever it is called).
-
@stooovie @hpod16 To be clear: "W Social" isn't by the European Commission or the EU as a whole but by a startup and media platform called "We Don't Have Time".
-
@Daft_Freak thinking of finally ordering these now (obviously too late for FOSDEM...) you having fun with them? any preferences?
-
Another Drawing of Söa 🥰
-
@leavt 🥺 c'est tllmt chouette ton dessin je vais pleurer ;w;
-
@nelson Mastodon is developed in Germany, Peertube in France.
-
Art trade with my art pal @superturbomira !
Her character Söa with Jasper!
-
Cavatina - by Per Olov Kindgren
#musica
