Decoding the Pixel 9 Exploit: Anatomy of a 0-Click Audio Codec Vulnerability

The integration of AI-powered features like automatic audio transcription in messaging apps has expanded the attack surface of mobile devices. By processing media attachments before user interaction, audio decoders like Dolby's Unified Decoder (UDC) now reside squarely in 0-click attack territory. Our analysis of CVE-2025-54957 reveals how subtle specification ambiguities in Dolby's EMDF container handling created a potent exploitation vector:

The Vulnerability Mechanics

At the core lies a dual-primitive flaw in Dolby's DD+ decoding:

1. Buffer Overrun: The variable_bits() function allows unbounded emdf_payload_size values. During allocation, an integer overflow in alignment calculation (total_size += (8 - total_size) % total_size) enables heap corruption with partially controlled data.
2. Controlled Leak: When emdf_container_length exceeds skipl, uninitialized memory beyond the skip buffer can be read. While normally harmless, combined with the overflow, it becomes a powerful tool.

Exploitation Challenges

Android's defenses posed significant hurdles:

• ASLR: Required guessing 4-bit heap alignment (1/16 success) and library load addresses (another 1/16), reducing reliability to ~0.4%. The exploit compensated through repeated transmission attempts.
• SELinux Restrictions: Blocked traditional routes like dlopen() or executable memory. The solution: writing shellcode via /proc/self/mem using pwrite.
• scudo Allocator: Secondary heap header manipulation enabled shifting allocations to create writable gaps before guard pages.

Novel Exploit Primitives

The chain developed three key capabilities:

1. WRITE DYNAMIC: Chained syncframes overwrote the skip pointer to progressively fill the dynamic buffer beyond its 3066-byte limit.
2. WRITE STATIC: Corruption of heap_len and payload_extra allowed arbitrary writes within the static buffer via misaligned EMDF payload allocations.
3. Pointer Surgery: Partial pointer overwrites redirected function calls (e.g., memcpy → increment gadget) to gradually morph fopen into pwrite.

Execution Flow

1. Memory Setup: Shellcode staged via WRITE DYNAMIC before enabling WRITE STATIC.
2. Function Hijacking: DLB_CLqmf_analysisL's function pointers redirected to:
   • Copy GOT entries into writable memory
   • Increment a function pointer toward pwrite 246 times
3. Final Payload: pwrite injected shellcode over __stack_chk_fail in libc, executed via GOT redirection.

Mitigation Insights

While Android's defenses increased exploit complexity, key weaknesses emerged:

• Low-bit ASLR randomization proved more disruptive than high-bit entropy
• Missing seccomp policies on Pixels allowed pwrite syscalls
• -fbounds-safety compilation (used in iOS/macOS UDC) would have blocked the vulnerability
• Scudo's secondary heap lacked checksum protections

This exploit demonstrates how specification ambiguities in media formats become critical vulnerabilities when processed in 0-click contexts. Part 2 will detail the kernel escalation via CVE-2025-36934.

Vulnerabilities fixed January 5, 2026. Tested on Google Pixel 9 running Android 15.