Executive Summary
In 2025, security researchers demonstrated a critical 0-click exploit chain targeting Google Pixel 9 and other Android devices, leveraging vulnerabilities in the Dolby UDC audio codec and the BigWave driver. Attackers could remotely execute code without user interaction by exploiting flaws in audio file processing and privilege escalation within device drivers. Despite early reporting and clear exploitability, it took vendors up to 139 days to release patches, leaving millions of Android users at risk. Gaps in patch management, inconsistent security controls, and delayed vulnerability classification contributed to prolonged exposure and a significant operational risk.
This incident underscores the urgency of promptly addressing zero-click vulnerabilities and supply chain security issues in mobile ecosystems. As attackers increasingly exploit overlooked decoders, device drivers, and rapidly introduced AI features, coordinated patching and proactive privilege reduction remain essential to counter evolving mobile threats.
Why This Matters Now
Zero-click exploits continue to be a favored method for sophisticated attackers, bypassing user defenses and targeting high-value mobile devices. Delayed patch cycles and fragmented vendor responses increase the window of exposure, highlighting the urgent need for stronger supply chain security, faster patch propagation, and consistent enforcement of security controls amid a rapidly expanding mobile attack surface.
Attack Path Analysis
The attack began when a malicious, specially-crafted audio message was automatically processed by the target device’s UDC decoder, exploiting a zero-click vulnerability for remote code execution. Attackers then leveraged a kernel driver vulnerability for privilege escalation, gaining higher-level access on the device. With elevated privileges, the attacker moved laterally to sensitive components of the OS. Command and control channels were established to maintain access and issue attacker commands. Exfiltration mechanisms, potentially leveraging outbound connections, enabled the attacker to steal sensitive data. Ultimately, the adversary maintained persistence and could disrupt or manipulate device functionality.
Kill Chain Progression
Initial Compromise
Description
A malicious audio message was sent to the device, triggering zero-click exploitation of the Dolby UDC decoder vulnerability upon automatic transcription.
Related CVEs
CVE-2025-54957
CVSS 5.4A buffer overflow vulnerability in Dolby UDC versions 4.5 through 4.13 allows remote attackers to cause a crash or potentially execute arbitrary code via a malformed DD+ bitstream.
Affected Products:
Dolby UDC – 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13
Exploit Status:
proof of conceptCVE-2025-36934
CVSS 7.4A use-after-free vulnerability in the BigWave driver of Google Pixel devices allows local attackers to escalate privileges due to a race condition.
Affected Products:
Google Pixel – 9
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Techniques mapped for rapid filtering and SEO; detailed enrichment with full STIX/TAXII or mobile sub-techniques can be performed later.
Exploit Public-Facing Application
Exploitation for Client Execution
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism: Bypass User Account Control
Exploitation for Defense Evasion
Hijack Execution Flow: DLL Side-Loading
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Newly Discovered Vulnerabilities
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Program and Access Controls
Control ID: 500.03, 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management and Vulnerability Management
Control ID: Art. 10, Art. 15
CISA Zero Trust Maturity Model 2.0 – Continuous Device Security & Patch Management
Control ID: Asset Management & Device Trust
NIS2 Directive – Vulnerability Handling and Security-by-Design
Control ID: Article 21(2)(d), Article 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical exposure to 0-click mobile exploits targeting Android devices through audio transcription, requiring enhanced east-west traffic security and encrypted communications protection.
Financial Services
High risk from mobile device exploitation enabling unauthorized access to financial applications, compromising customer data and requiring immediate zero trust segmentation implementation.
Health Care / Life Sciences
Severe vulnerability in mobile healthcare applications processing audio messages, exposing patient data and violating HIPAA compliance requirements for data protection.
Government Administration
Critical national security implications from 0-click Android exploits enabling unauthorized surveillance and data exfiltration from government mobile communications systems.
Sources
- A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?https://projectzero.google/2026/01/pixel-0-click-part-3.htmlVerified
- CVE-2025-54957 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-54957Verified
- CVE-2025-36934 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-36934Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network microsegmentation, zero trust enforcement, advanced egress controls, and near-real-time threat detection would have constrained the exploit chain by containing lateral privilege pivoting, detecting anomalous kernel-level activity, and preventing unauthorized outbound data transfer.
Control: Zero Trust Segmentation
Mitigation: Reduced initial attack surface and isolated vulnerable media decoding processes from sensitive resources.
Control: East-West Traffic Security
Mitigation: Detection and limiting of unauthorized internal privilege escalation attempts.
Control: Zero Trust Segmentation
Mitigation: Containment of attacker movement and restricted internal service access.
Control: Egress Security & Policy Enforcement
Mitigation: Detection and blocking of suspicious or unauthorized outbound connections.
Control: Encrypted Traffic (HPE) & Egress Security & Policy Enforcement
Mitigation: Early detection and prevention of data exfiltration attempts.
Rapid anomaly detection and automated response reduced the dwell time and impact.
Impact at a Glance
Affected Business Functions
- Mobile Communications
- Media Playback
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to unauthorized access facilitated by the exploit chain.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce microsegmentation and least privilege policies for all media and driver-handling processes to minimize exploit reach.
- • Implement robust east-west traffic monitoring and anomaly detection to identify internal privilege escalation and lateral movement attempts.
- • Deploy strong egress filtering and FQDN-based policy enforcement to block external command and control and data exfiltration pathways.
- • Automate vulnerability scanning and patch management for all third-party drivers and decode components to reduce exploit windows.
- • Continuously monitor device and network behaviors with real-time alerting for suspicious activity targeting high-risk or unmanaged endpoints.
