Security gap in Dolby Digital Plus Decoder in Android, iOS, macOS, and Windows
A security vulnerability in the Dolby Unified Decoder enabled a zero-click exploit in Android, among other things.
(Image: Outflow_Designs / Shutterstock.com)
A security vulnerability in the Dolby Digital Plus Unified Decoder made Android, iOS, macOS, and Windows susceptible to attacks. It enabled zero-click attacks on Android devices, for instance. Updates to patch the security hole are already available.
This is reported by Google's Project Zero in a bug entry. Due to an integer overflow when processing data by the DDPlus Unified Decoder, write accesses to a heap-like buffer can occur beyond the intended memory limits. This allows structures such as pointers to be overwritten. “On Android, this leads to a zero-click vulnerability because Android locally decodes all audio messages and attachments for transcription using this decoder, without users interacting with the device,” the programmers explain there.
Zero-Click Code Execution on Android Phone
They have created sample files that demonstrate the vulnerability and cause a crash of vulnerable devices. The IT researchers tested Google's Pixel 9 and Samsung's S24, which crashed with a SIGSEGV (Segmentation Fault). MacBook Air M1 with macOS 26.0.1 and iOS 26.0.1 on an iPhone 17 Pro, on the other hand, crashed with a “bounds-safety trap,” meaning security mechanisms in the programming environment used. The IT security specialists were able to execute injected code through this vulnerability on Google's Pixel 9 with Android 16 and firmware BP2A.250605.031.A2.
Videos by heise
According to the bug entry, the vulnerability is considered fixed. Microsoft fixed it last week with the October security updates for various Windows versions (CVE-2025-54957, CVSS 7.0, risk “high”). For ChromeOS distributed an operating system update from Google in mid-September, an operating system update was distributed.
Dolby published its security advisory, in which the company classifies the security risk as only “medium” with a CVSS score of 6.7. According to the advisory, software versions UDC v4.5 to v4.13 are affected. The manufacturer urges vendors whose devices use Dolby Digital Plus to contact their Dolby representative to obtain the latest Dolby Digital Plus files. End customers should ensure that their devices are up to date.
Most recently, at the end of August, a WhatsApp zero-click vulnerability that made iOS and macOS devices vulnerable without user confirmation.
(dmk)
