A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context. As per the AOSP documentation, the mediacodec SELinux context is intended to be a constrained (a.k.a sandboxed) context where non-secure software decoders are utilized. Nevertheless, using my DriverCartographer tool, I discovered an interesting device driver, /dev/bigwave that was accessible from the mediacodec SELinux context. BigWave is hardware present on the Pixel SOC that accelerates AV1 decoding tasks, which explains why it is accessible from the mediacodec context. As previous research has copiously affirmed, Android drivers for hardware devices are prime places to find powerful local privilege escalation bugs. The BigWave driver was no exception - across a couple hours of auditing the code, I discovered three separate bugs, including one that was powerful enough to escape the mediacodec sandbox and get kernel arbitrary read/write on the Pixel 9.

The article describes a zero-click exploit chain on Pixel 9 where an initial Dolby Unified Decoder RCE in the mediacodec context is chained with multiple vulnerabilities in the /dev/bigwave hardware AV1 decoder driver, ultimately yielding arbitrary kernel read/write and full sandbox escape.[1][4] This research shows how expanded attack surface from modern mobile features and complex hardware-accelerated media stacks can be abused to bypass isolation guarantees and defeat kernel protections.[1][4] From a CyberSE.AI perspective, this highlights how AI-adjacent and media-processing components (such as those used for automated transcription or content understanding) can silently expose powerful low-level attack surfaces that adversaries may chain for full-system compromise. Organizations deploying AI agents or AI-enhanced features on endpoints should continuously red-team these components, tightly constrain their OS- and driver-level access, and incorporate exploit-chaining scenarios into AI security readiness and secure agent build reviews.