What is CVE-2025-54957 in Pixel 9?

Dolby Unified Decoder buffer overflow via crafted DD+ audio in Google Messages—0-click RCE in mediacodec.

Can 0-click exploits still hit updated Pixel 9?

No, fixed Jan 2026 patches seal it—but unpatched devices worldwide remain at risk.

Why do audio decoders enable Android 0-click attacks?

Auto-transcription decodes RCS/SMS media pre-open, bloating attack surface with parser bugs.

Pixel 9's Dolby Decoder: The 0-Click Path Project Zero Just Paved Wide Open

A single SMS audio file. Zero taps. Full code execution on Pixel 9. Project Zero didn't just find bugs—they chained them into a nightmare for Android's vaunted security.

Threat Digest Apr 02, 2026 3 min read 13 views

Pixel 9 displaying Google Messages with incoming audio attachment and overlaid exploit code visualization

⚡ Key Takeaways

Project Zero chained Dolby decoder RCE to kernel priv-esc on Pixel 9 via SMS audio—no user interaction. 𝕏
Dolby's skip buffer in DD+ allows spec-compliant overflows, hitting most Androids with UDC blobs. 𝕏
AI features like auto-transcription massively expand 0-click surface; media vulns demand priority fixes. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#0-click attack #Dolby UDC #Dolby decoder CVE #Pixel 9 exploit #Project Zero

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Google Project Zero

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Pixel 9's Silent Killer: 0-Click Exploits via Obscure Audio Codecs

Pixel 9 Cracked Open: BigWave Driver's Triple Bug Sandbox Escape

Project Zero's Blog Glow-Up: Old Exploits Still Fresh as Yesterday's Zero-Day

Ransomware's Vicious Evolution: From Locks to Blackmail and Beyond

Stay in the loop