A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones. I’ve spent a fair bit of time investigating these decoders, first reporting CVE-2025-49415 in the Monkey’s Audio codec on Samsung devices. Based on this research, the team reviewed the Dolby Unified Decoder, and Ivan Fratric and I reported CVE-2025-54957. This vulnerability is likely in the 0-click attack surface of most Android devices in use today. In parallel, Seth Jenkins investigated a driver accessible from the sandbox the decoder runs in on a Pixel 9, and reported CVE-2025-36934.

The article reports that AI-powered features in Google Messages, specifically automatic audio transcription of SMS/RCS attachments, have expanded the zero-click attack surface on Android phones by causing audio to be decoded without user interaction.[1][3] Project Zero researchers chained CVE-2025-54957 (an integer overflow in the Dolby Unified Decoder used for AC-3/EAC-3 audio) with CVE-2025-36934 (a driver bug reachable from the decoder sandbox on Pixel 9) to achieve remote code execution and kernel-level compromise via crafted audio in message attachments; these vulnerabilities were patched in early 2026.[1][3] From a CyberSE.AI perspective, this demonstrates how AI-driven, automatic content processing pipelines can be weaponized by adversaries, turning AI-enhanced usability features (like message understanding and transcription) into zero-click compromise vectors. Organizations deploying AI features that auto-ingest and transform untrusted media or messages should treat these components as high-risk attack surfaces, and engage services such as Secure AI Agent Build, Continuous AI Red Teaming, and AI Security Readiness Assessment to apply least-privilege sandboxing, robust memor