Project Zero has revealed a complex zero-click exploit chain that targets the Pixel 9 smartphone, proving that extremely sophisticated attacks are still feasible even in the face of contemporary Android security measures This article explores audio decoder vulnerable. . The study, which was released in January 2026, demonstrates how threat actors could use audio attachments in SMS and RCS messages to compromise devices without requiring user input.

Important Weaknesses in the Audio Decoding Process The exploit chain makes use of two serious flaws: CVE-2025-36934 in a driver that can be accessed from the decoder's sandbox on Pixel 9 devices and CVE-2025-54957 in the Dolby Unified Decoder. The Dolby Digital Plus audio decoder is vulnerable to the integer overflow vulnerability CVE-2025-54957, which is present in the zero-click attack surface of the majority of Android devices currently in use.

Inadequate bounds checking in the decoder's processing of Extensible Metadata Delivery Format (EMDF) payloads is the source of the vulnerability, which enables attackers to cause controlled buffer overruns. Dolby Digital (AC-3) and Dolby Digital Plus (EAC-3) audio are processed by the Dolby Unified Decoder, which is compatible with Windows, Android, iOS, and media streaming devices. The vulnerable component on the Pixel 9 is located in /vendor/lib64/libcodec2_soft_ddpdec.so.

Nibble worth AI-powered transcription features increase the zero-click attack surface by having the decoder automatically process incoming audio attachments via Google Messages before users open them. Researchers from Project Zero created a proof-of-concept exploit that required three carefully constructed MP4 files to be sent as message attachments.

By specifically targeting the "evo heap" structure and taking advantage of flaws in Android's scudo allocator, the attack modifies the decoder's memory allocation system. Layout of Decoder Memory The exploit accomplishes arbitrary code execution within the mediacodec context by carefully planning memory overwrites and utilizing partial ASLR bypass techniques. By manipulating memory regions with advanced primitives like WRITE DYNAMIC, WRITE STATIC, and WRITE DYNAMIC FAST, the researchers were able to take control of the program counter by overwriting function pointers in the static buffer.

In order to elevate privileges from the mediacodec sandbox to the kernel level and complete the device compromise, the exploit then chains to CVE-2025-36934.

The exploit takes an average of six minutes to compromise a target device, and it only succeeds about once every 256 attempts due to Address Space Layout Randomization (ASLR) guessing requirements. The intricacy highlights both the resilience of Android's security architecture and the tenacity of knowledgeable adversaries, even though this offers a feasible attack window for skilled threat actors. As of January 5, 2026, Google had fixed both vulnerabilities.

Although important gaps were found, Project Zero's research highlights that a number of Android mitigations, especially ASLR implementation, proved successful. Seccomp policies found on rival devices such as the Samsung S24 were conspicuously absent from the Pixel 9, and /proc/self/mem accessibility gave attackers an easy way to execute code. The Dolby decoder compiled with -fbounds-safety flags on iOS and macOS seems to be resistant to this particular exploitation method.

In addition to emphasizing the ongoing significance of quickly patching media decoder and driver vulnerabilities on mobile platforms, the disclosure attempts to educate defenders about actual zero-click attack techniques. In later blog posts, evo heap Project Zero will provide more technical information about privilege escalation strategies and defensive advice.