A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

A researcher discovered three bugs in the BigWave driver on Pixel 9 phones, including one that allows escaping the mediacodec sandbox (a restricted environment where apps run with limited permissions) to gain kernel arbitrary read/write access. The most dangerous bug is a use-after-free vulnerability (accessing memory that has already been freed), which occurs when a worker thread continues processing a job after the file descriptor managing it has been closed and its memory destroyed.