With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the res...

Project Zero is Google's security research team dedicated to finding and fixing zero-day vulnerabilities in software and hardware, aiming to improve the security of the broader internet ecosystem. Security researchers can learn about vulnerability research, exploit development, and responsible disclosure practices to contribute to making the internet safer for everyone.

Project Zero

Google Project Zero researcher details the second stage of a Pixel 9 exploit chain: escaping the mediacodec sandbox through vulnerabilities in the BigWave AV1 decoder driver. The researcher discovered three bugs in /dev/bigwave, including a use-after-free that enables arbitrary kernel read/write. The exploit bypasses KASLR without leaking addresses by targeting kernel .data at a fixed linear map location, then achieves privilege escalation by manipulating ashmem file operations handlers and disabling SELinux. The writeup includes technical details on forging kernel data structures, integrating with the Dolby RCE exploit, and using LLMs to streamline exploit development.

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

Defeating KASLR (by doing nothing at all)