Full Report
While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement. Audio Attack Surface The Dolby UDC is part of the 0-click attack surface of most Android devices because of audio transcription in the Google Messages application. Incoming audio messages are transcribed before a user interacts with the message. On Pixel 9, a second process com.google.android.tts also decodes incoming audio. Its purpose is not completely clear, but it seems to be related to making incoming messages searchable.
Analysis Summary
This document summarizes findings related to vulnerabilities identified during research into 0-click exploit chains on Android devices, specifically focusing on the attack surface related to audio processing.
# Vulnerability: Components in the Audio Attack Surface (Dolby UDC and TTS Process)
## CVE Details
- CVE ID: **CVE-2025-54957** (Found in Dolby UDC)
- CVE ID: **CVE-2025-36934** (Found in BigWave driver, mentioned contextually as part of the overall research)
- CVSS Score: Not provided in the text.
- CWE: Not explicitly stated, but context implies memory corruption vulnerabilities stemming from audio decoding components.
## Affected Systems
- Products: Dolby UDC (part of the 0-click attack surface), Google Messages application, `com.google.android.tts` process (on Pixel 9).
- Versions: Specific vulnerable versions are not detailed, but the discussion centers on the implementation on **Pixel 9** devices.
- Configurations: Devices utilizing Dolby UDC for transcription of incoming audio messages in Google Messages.
## Vulnerability Description
The vulnerability research highlighted that components handling the automatic transcription of incoming audio messages (specifically the **Dolby UDC** integrated by OEMs, and potentially the `com.google.android.tts` process on Pixel 9) significantly expand the 0-click attack surface. These processes decode incoming audio without user interaction. The recommendation is to remove uncommonly-used decoders like the Dolby UDC from this critical attack path to reduce the potential impact of vulnerabilities within these codecs.
## Exploitation
- Status: Implied **Exploited in the wild/Proof of Concept developed** by Project Zero researchers as part of a 0-click exploit chain demonstration.
- Complexity: The time required to find the bugs was low (less than two days for CVE-2025-54957 after setup), suggesting exploitability is achievable with a **Medium** investment for a well-resourced attacker (estimated at person-weeks).
- Attack Vector: **Network** (incoming audio message delivery).
## Impact
The context suggests high impact as these vulnerabilities were integrated into a 0-click exploit chain capable of achieving privilege escalation.
- Confidentiality: High (Impact described by successful exploit chain)
- Integrity: High (Impact described by successful exploit chain)
- Availability: Medium to High
## Remediation
### Patches
- The Dolby UDC vulnerability (CVE-2025-54957) was **eventually patched by Pixel**. Specific patch versions are not listed.
- Other identified vulnerabilities (like CVE-2025-36934 in the BigWave driver) were also patched.
### Workarounds
1. **Reduce Attack Surface:** Vendors should remove uncommonly-used decoders, such as the Dolby UDC, from the 0-click attack surface (code executed remotely before user interaction).
2. **Driver Security Improvement:** For drivers generally, potential mitigations include rewriting vulnerable drivers in memory-safe languages (like Rust), reducing unprivileged context access to drivers, and ensuring driver code updates are easily deliverable.
## Detection
- **Gaps in Fuzzing:** It was noted that existing fuzzing efforts (e.g., OSS-Fuzz) might not cover all OEM components like the Dolby UDC, suggesting this is a gap in current detection strategies.
- **Ongoing Review:** Continuous, rigorous analysis of the 0-click attack surface, coupled with comprehensive fuzzing and security reviews of components like drivers, is necessary.
## References
- Vendor advisories relating to the specific CVEs would be necessary but are omitted here as the text focuses on the *research findings*.
- Relevant Links (Defanged):
- [hxxps://projectzero.google/2026/01/pixel-0-click-part-3.html](https://projectzero.google/2026/01/pixel-0-click-part-3.html)
- General driver research links cited in the text regarding driver security issues.