Today, Project Zero released a 0-click exploit chain for the Pixel 9.

Make sure to check out the full series here: https://projectzero.google/2026/01/pixel-0-click-part-1.html

Supply-chain issues also played a role: both vulnerabilities were patched very slowly, due to a variety of factors including bug prioritization, licensing and communication between vendors.

Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.

Does it really need to be 0-click?

IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.

IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.

We hope this flag makes it out of Clang experimental, and more vendors start using it!

https://clang.llvm.org/docs/BoundsSafety.html

Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.

The second bug, CVE-2025-36934, is a driver UaF which only affects the Pixel 9, but Project Zero has found many other bugs with similar impact affecting other devices over the past couple years.

The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.

Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.

https://projectzero.google/2026/01/pixel-0-click-part-1.html