Mountain View Reverse Engineering (mtvre) meetup on Wed! 7:00 pm at Wagon Wheel BBQ. Talks:
- @tubetime.bsky.social on "HP 16717 PCB Reverse Engineering" (40 min)
- @natashenka.bsky.social on "0-click Android exploits" (25 min)
Ivan Fratric shares some tips and tricks for grammar fuzzing
projectzero.google/2026/03/muta...
In the final part of his blog series, @tiraniddo.dev tells the story of how a bug was introduced into a Windows API.
Code re-writes can improve security, but it’s important not to forget the security properties the code needs to enforce in the process.
projectzero.google/2026/02/gphf...
Part 2 of @tiraniddo.dev’s Windows Administrator Protection journey is here!
projectzero.google/2026/02/wind...
The remarkable true story of how Flash was deprecated
medium.com/@aglaforge/w...
Our intrepid 20%-er Dillon Franke exploited a vulnerability in CoreAudio. See his process for gaining privilege escalation on a Mac:
projectzero.google/2026/01/soun...
No security feature is perfect. @tiraniddo.dev reviewed Windows’ new Administrator Protection and found several bypasses.
projectzero.google/2026/26/wind...
Some extra 0-click fun! Seth Jenkins and I trying to figure out why our exploit isn’t working, when it has, in fact, already started taking and exfiltrating photos
Supply-chain issues also played a role: both vulnerabilities were patched very slowly, due to a variety of factors including bug prioritization, licensing and communication between vendors.
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
IMO, the biggest takeaway from this research is the huge promise shown by memory mitigations, both hardware and software, in protecting users against 0-days.
We hope this flag makes it out of Clang experimental, and more vendors start using it!
clang.llvm.org/docs/BoundsS...
Remarkably, iOS also integrates the UDC in a 1-click context, but this bug is not exploitable, because the codec is compiled with -fbounds-safety, which inserted bounds checking instructions, making the bug unreachable.
This exploit, including bug finding, took roughly 16 person-weeks of effort by Ivan Fratric, Seth Jenkins and me. This is a surprisingly low cost considering the impact.
The second bug, CVE-2025-36934, is a driver UaF which only affects the Pixel 9, but Project Zero has found many other bugs with similar impact affecting other devices over the past couple years.
The first bug in the chain is CVE-2025-54957, a memory corruption bug in the Dolby Unified Decoder, an audio codec integrated by most Android devices’ OEMs. It is 0-click because incoming SMS and RCS audio messages are automatically transcribed by the system.
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
projectzero.google/2026/01/pixe...
But wait, I haven’t read all the “Best Books of 2024” yet
Thank you, we love the design 😍
We launched a redesigned Project Zero website today at projectzero.google !
To mark the occasion, we released some older posts that never quite made it out of drafts.
Enjoy!
An analysis of a recent 0-click exploit targeting Samsung devices: googleprojectzero.blogspot.com/2025/12/a-lo...
Crime show: “We know the victim died at night because we found beef in his stomach.”
Me, shoving a left-over burger in my face at 7am: 🫢
Your phone’s more likely to hit the ASLR state you need if you put a lucky dragon on it
I love how my city sends me text message alerts when there’s the chance to see a sinkhole
New Blog Post: Seth Jenkins broke kASLR by doing … nothing 😩
googleprojectzero.blogspot.com/2025/11/defe...
Integrators should update today!
Serious bugs often occur in third-party components integrated by other software. Ivan Fratric and I found this vulnerability in the Dolby Unified Decoder. It affects Android, iOS and Windows among other platforms, sometimes 0-click.
project-zero.issues.chromium.org/issues/42807...
Super cool potential ASLR leak involving dictionary hashes! googleprojectzero.blogspot.com/2025/09/poin...
