Today, Project Zero released a 0-click exploit chain for the Pixel 9.
Uncategorized
27
Posts
17
Posters
22
Views
-
Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.
@natashenka Quite the testimonial!
-
Supply-chain issues also played a role: both vulnerabilities were patched very slowly, due to a variety of factors including bug prioritization, licensing and communication between vendors.
Make sure to check out the full series here: https://projectzero.google/2026/01/pixel-0-click-part-1.html
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka Great research and thank you for the 3 part write-up! I had a couple questions.
- Would android advanced protection mode's have protected against some of this? E.g, the automatic transcription of incoming audio files?
- Would MTE have saved some useful roll in this on supporting Pixel phones? -
The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.
@natashenka wait, it transcribes them *by default* in the background? if so, that is an absolutely ridiculous attack surface to expose.
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
@natashenka There always seems to be so much pushback on removing functionality. While turning it into a 1-click would help some (especially if the sender isn't in your contacts!), I'd be more curious to see if it could be very tightly sandboxed. (And if not... why not? Tight sandboxing of media libraries with limited kernel attack surface seems like a platform primitive that is broadly useful.) Or cross compiled to wasm - performance of an edge case scenario shouldn't be a concern.
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka Can the Google Messages audio-parsing feature that is causing this be disabled? I did not consent to any "AI"/semantic content introspection being done by Google on ANYTHING on my phone, and have been trying to disable all such features as I find them (but of course software vendors constantly adding more such features and they are always on by default)
-
We hope this flag makes it out of Clang experimental, and more vendors start using it!
@natashenka That feels a lot like Microsoft's SAL: https://learn.microsoft.com/en-us/cpp/code-quality/using-sal-annotations-to-reduce-c-cpp-code-defects?view=msvc-170. The big question is, how do we ensure portability to multiple compilers. Could we standardize that, please?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
@natashenka I don't know that a single click matters, unless you design it well. See also https://infosec.exchange/@adamshostack/115884932482637376
-
@natashenka wait, it transcribes them *by default* in the background? if so, that is an absolutely ridiculous attack surface to expose.
@gsuberland @natashenka IIRC that was already the case with Stagefright, which was also very similar in that it targeted media libraries involved in MMS
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka using of #grapheneos on our pixel phone is a workaround / solution - right? 🤔😉
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@GrapheneOS Would this exploit have been possible on GrapheneOS?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka breaking out of the decoder is cooked, but I guess this one doesn't integrate into the hardware that much? or does it
-
@GrapheneOS Would this exploit have been possible on GrapheneOS?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka a-bloody-mazing ! Thanks for the hard work
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka@infosec.exchange Does it apply to other sms apps on a Pixel?
-
undefined oblomov@sociale.network shared this topic on
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@Gina Life is about taking care of our feline overlords!
-
-
@evan I'll make a special exception just for you :)
-
@Gina Gonna have to give that a try after dinner
-
@Gina can you elaborate this with a 5 pages powerpoint?
-
@grueproof it happens, a reboot helps.
-
@grueproof :(
-
@Gina I recently rewatched #AngelTheSeries (spin off of #BuffyTheVampireSlayer), which has a recurring theme of:
If nothing we do matters, then the only thing that matters is what we do now.
I always loved that sentiment. Hope it can help anyone else that might be stuck on the first part.
