Full Report
With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context. As per the AOSP documentation, the mediacodec SELinux context is intended to be a constrained (a.k.a sandboxed) context where non-secure software decoders are utilized. Nevertheless, using my DriverCartographer tool, I discovered an interesting device driver, /dev/bigwave that was accessible from the mediacodec SELinux context. BigWave is hardware present on the Pixel SOC that accelerates AV1 decoding tasks, which explains why it is accessible from the mediacodec context. As previous research has copiously affirmed, Android drivers for hardware devices are prime places to find powerful local privilege escalation bugs. The BigWave driver was no exception - across a couple hours of auditing the code, I discovered three separate bugs, including one that was powerful enough to escape the mediacodec sandbox and get kernel arbitrary read/write on the Pixel 9.
Analysis Summary
This summary focuses on the critical vulnerability found in the BigWave driver, as it provided the arbitrary kernel read/write primitive required for sandbox escape.
# Vulnerability: BigWave Driver Use-After-Free leading to Pixel 9 Kernel R/W
## CVE Details
* **CVE ID:** Not explicitly assigned in the provided text at the time of writing (research disclosed January 14, 2026). The text mentions three bugs, suggesting multiple potential CVEs.
* **CVSS Score:** Not provided. Severity is implied as **Critical** due to achieving kernel arbitrary read/write.
* **CWE:** CWE-416 (Use After Free) is the primary mechanism described for the most severe bug.
## Affected Systems
* **Products:** Pixel SOC hardware utilizing the BigWave AV1 acceleration driver.
* **Versions:** Unspecified specific kernel/Android security patch levels, but the issue was present leading up to January 2026 findings.
* **Configurations:** Systems running Android with the BigWave driver accessible from the `mediacodec` SELinux context.
## Vulnerability Description
The most severe flaw involved a Time-of-Check to Time-of-Use (TOCTOU) condition within the BigWave Linux kernel module, specifically when processing work via the `BIGO_IOCX_PROCESS` ioctl.
1. When an application opens `/dev/bigwave`, an `inst` structure is created and linked to the file descriptor (`fd`). This structure contains a transient `job` sub-structure.
2. A userland process calls `BIGO_IOCX_PROCESS`, which places the `job` on a queue and causes the ioctl thread to block using `wait_for_completion_timeout` (max 16 seconds) waiting for the `bigo_worker_thread`.
3. If the worker thread is significantly delayed (due to a backlog of previous jobs), the 16-second timeout expires in the calling thread, which then dequeues the job as "timed-out."
4. Crucially, the `bigo_worker_thread` might *simultaneously* be processing that very job.
5. If the calling userland process closes the `fd` after the timeout but before the worker thread finishes, the main `inst` structure (which holds the `job`) is freed (Use-After-Free - UAF).
6. The still-running `bigo_worker_thread` continues to reference the now-freed object (`inst` -> `job`), leading to an arbitrary kernel read/write primitive upon subsequent access to the deallocated memory.
## Exploitation
* **Status:** PoC available (used internally by the researcher to demonstrate kernel arbitrary read/write and subsequent sandbox escape).
* **Complexity:** Medium to High (requires precise timing/job queuing within the vulnerable driver, but the resultant primitive grants high control).
* **Attack Vector:** Local. Requires the attacker's process to already be running within the `mediacodec` SELinux context (achievable through an upstream, non-kernel exploit like a Dolby Unified Decoder RCE).
## Impact
* **Confidentiality:** High (Kernel arbitrary read allows access to all system memory, including kernel secrets and user data).
* **Integrity:** High (Kernel arbitrary write allows modification of kernel memory, enabling sandbox escape and system compromise).
* **Availability:** High (Kernel crash/denial of service is trivially possible).
## Remediation
### Patches
* Fixes for all three discovered bugs (including the UAF) were made available on **January 5, 2026**.
* System administrators should apply the corresponding Monthly Android Security Bulletin patches released shortly after this date.
### Workarounds
* No specific vendor workarounds are detailed, but mitigating the initial context breach (e.g., preventing the Dolby RCE) would prevent the exploitation chain from starting.
* Restricting access to `/dev/bigwave` via SELinux policies (if possible without breaking legitimate media decoding) could serve as a temporary measure, though the driver is expectedly accessible to `mediacodec`.
## Detection
* **Indicators of Compromise:** Monitoring kernel log messages for unexpected errors or crashes related to the BigWave driver, especially sequences involving `ioctl` calls, `wait_event_timeout` handling, and subsequent memory corruption errors referencing freed BigWave structures.
* **Detection Methods and Tools:** Advanced kernel integrity monitoring or rootkit detection tools capable of tracking dynamic memory allocation/deallocation sequences within device drivers.
## References
* Vendor Advisories: Google/Android Security Bulletin (January 2026 release cycle).
* Relevant Links:
* projectzero dot google dot com/2026/01/pixel-0-click-part-2 html