Google Project Zero researcher details the second stage of a Pixel 9 exploit chain: escaping the mediacodec sandbox through vulnerabilities in the BigWave AV1 decoder driver. The researcher discovered three bugs in /dev/bigwave, including a use-after-free that enables arbitrary kernel read/write. The exploit bypasses KASLR without leaking addresses by targeting kernel .data at a fixed linear map location, then achieves privilege escalation by manipulating ashmem file operations handlers and disabling SELinux. The writeup includes technical details on forging kernel data structures, integrating with the Dolby RCE exploit, and using LLMs to streamline exploit development.
Table of contents
The (Very Short) Bug HuntThe Nicest BugDefeating KASLR (by doing nothing at all)Creating an arbitrary read/writeIntegrating into the Dolby exploitFinalizing the exploitSort: