Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One ef...

Project Zero is Google's security research team dedicated to finding and fixing zero-day vulnerabilities in software and hardware, aiming to improve the security of the broader internet ecosystem. Security researchers can learn about vulnerability research, exploit development, and responsible disclosure practices to contribute to making the internet safer for everyone.

Project Zero

Google Project Zero details a sophisticated 0-click exploit chain targeting the Pixel 9 through a vulnerability (CVE-2025-54957) in the Dolby Unified Decoder. The exploit leverages an integer overflow in EMDF payload processing to achieve arbitrary code execution in the mediacodec context. The attack chain involves manipulating heap allocations, bypassing ASLR through probabilistic techniques, and using ROP gadgets to ultimately write shellcode via /proc/self/mem. The vulnerability affects most Android devices and was triggered automatically when audio attachments are received via SMS/RCS for AI-powered transcription features.

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby