A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
Summary
Google Project Zero researchers discovered a zero-click exploit chain in the Pixel 9 related to audio decoding. CVE-2025-54957, a vulnerability in the Dolby Unified Decoder, affects many Android devices due to automatic audio transcription features in messaging apps. Further investigation uncovered CVE-2025-36934, a driver vulnerability accessible from the decoder's sandbox on a Pixel 9.
IFF Assessment
The discovery of zero-click vulnerabilities in widely used audio decoders represents a significant threat to Android devices.
Severity
Defender Context
Defenders should prioritize patching CVE-2025-54957 and CVE-2025-36934 (once available) across their Android fleet. Zero-click vulnerabilities are particularly concerning as they require no user interaction, increasing the risk of widespread exploitation. The trend of AI-powered features increasing the attack surface emphasizes the need for robust security reviews of media processing components.