Sandboxing?

Posted Jan 16, 2026 22:31 UTC (Fri) by josh (subscriber, #17465)
Parent article: A 0-click exploit chain for the Pixel 9 (Project Zero)

It genuinely astonishes me that this wasn't running in a sandbox. Any kind of image/audio/video decoder in a context exposed directly to random untrusted content should be running in a sandbox that has zero access to anything other than the codec data. Not just SELinux like everything else; it should be running in a strict seccomp sandbox. As far as I can tell from reading part 1 of the series, this wasn't.

to post comments

Sandboxing?

Posted Jan 16, 2026 23:35 UTC (Fri) by excors (subscriber, #95769) [Link]

I think that's not possible because of hardware decoders, which need access to more than just the media bitstream. In this case there's a driver at /dev/bigwave that accelerates some AV1 decoding, so that has to be accessible from the mediacodec process. The vulnerable UDC codec runs in the same mediacodec process, and there's a separate vulnerability in /dev/bigwave that allows arbitrary writes to kernel memory, and the two exploits can be chained together.

They say the mediacodec process does have a seccomp policy on many Android devices, but not on Pixel 9 for unknown reasons. But they don't think that would have prevented the exploit, it would have just required a few more weeks of effort.

Sandboxing?

Posted Jan 17, 2026 15:32 UTC (Sat) by paulj (subscriber, #341) [Link]

The decoder _is_ running in a sandbox. They used the decoder bug to then deliver /another/ exploit for the kernel driver for the "BigWave" hardware AV1 decoder - which is accessible from the 'mediacodec' sandbox used for decoding media (though, doesn't seem like this driver was necessary for /particular/ decoder involved in the initial attack). They quickly found 3 different exploitable bugs in said driver, so.. spoiled for choice there.

So, exploit the sandboxed media decoder to deliver the exploit for the hardware decoder acceleration driver -> code execution in kernel -> game over.