projectzero.google
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-08.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-08 2026 | Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529FuzzingRCE | Writeup detailing the exploitation of CVE-2024-54529, a type confusion vulnerability in macOS's CoreAudio daemon. The author describes the process of turning the crash into a working exploit by establishing a pointer chain to control object types and ultimately hijack control flow. This involved developing custom tools like an object dumper using TinyInst and performing static analysis with IDAPython to navigate heap intricacies and overcome initial exploitation hurdles with CFString objects. The analysis also explored and ruled out an out-of-bounds read primitive, highlighting the importance of version-specific vulnerabilities. |
| 2026-06-08 2026 | Bypassing Administrator Protection by Abusing UI AccessAuthZBug Bounty | Writeup detailing 5 bypasses of Windows Administrator Protection, specifically through the abuse of UI Access. This feature, intended to secure UAC boundaries, could be circumvented by processes granted special permissions to bypass UIPI restrictions. The research highlights how accessibility applications, requiring UI Access to function with elevated processes, could be exploited by lower-integrity processes. The identified bypasses, now fixed, demonstrated how UI Access combined with specific integrity levels could lead to privilege escalation, impacting administrator and even system processes. |
| 2026-06-08 2026 | A Deep Dive into the GetProcessHandleFromHwnd APIAuthZBug Bounty | Library exploring the `GetProcessHandleFromHwnd` API, tracing its evolution from an `oleacc.dll` function utilizing window hooks and shared memory for handle duplication in Vista, to a `win32kfull.sys` kernel function (`NtUserGetWindowProcessHandle`) in Windows 10. This analysis reveals discrepancies between API documentation and actual implementation, including changes to UI Access requirements and the move to direct kernel-level process opening, impacting how UAC bypasses and inter-process communication are handled. |
| 2026-06-08 2026 | On the Effectiveness of Mutational Grammar FuzzingFuzzing | Technique analyzing the flaws of mutational grammar fuzzing, particularly how increased coverage doesn't always equate to more bugs and how samples tend to remain highly similar. It highlights issues found in XSLT implementations and JIT engines, suggesting potential improvements by exploring dataflow coverage or combining generative and mutational fuzzing approaches. |
| 2026-06-08 2026 | A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window OpensMobileRCE | Writeup detailing a two-exploit chain achieving root on the Google Pixel 10, bypassing Pixel 9 privilege escalation with a novel VPU driver vulnerability (CVE-2026-0000). The Dolby UDC exploit, patched in December 2025, was adapted for Pixel 10 by addressing RET PAC, and a new vulnerability in the /dev/vpu driver allowed arbitrary kernel read-write via an unbounded `mmap` handler, patched in the February 2026 security bulletin. |
| 2026-01-15 2026 | A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby - Project ZeroMobile | Library detailing a 0-click exploit chain targeting the Pixel 9, focusing on vulnerabilities within the Dolby Unified Decoder. This analysis delves into CVE-2025-54957, an integer overflow in the EMDF payload processing, and CVE-2025-36934, a driver vulnerability, explaining how these lead to arbitrary code execution in the mediacodec context and privilege escalation to the kernel. The research highlights the increased attack surface introduced by AI-driven audio transcription features in mobile devices. |