Critical Zero-Click RCE Flaw Found in Dolby Decoder on Android

The Google Project Zero team has disclosed a critical vulnerability in the Dolby DDPlus Unified Decoder that permits remote arbitrary code execution on Android devices without any user interaction. Tracked as CVE-2025-54957, the flaw manifests as an out-of-bounds write during the processing of audio data.

The root cause lies in an integer overflow when computing the length of the buffer into which the decoder writes. This miscalculation leads to the allocation of a memory region that is too small, thereby nullifying out-of-bounds protections and enabling an attacker to corrupt in-memory structures—including pointers leveraged when parsing the subsequent syncframe.

On Android the vulnerability is particularly pernicious because the platform proactively decodes incoming audio messages and attachments—such as those transmitted via RCS messaging—for transcription without awaiting user action. Project Zero researchers exploited this behavior to achieve code execution in the mediacodec context on a Pixel 9 running firmware 16 BP2A.250605.031.A2, rendering the exploit a true zero-click attack that requires no interaction from the device owner.

During testing, Google confirmed that the flaw could also trigger a crash (SIGSEGV) on a Samsung S24 with firmware S921U1UES4AYB3. Project Zero additionally identified the vulnerable code on a MacBook Air M1 (macOS Tahoe 26.0.1) and an iPhone 17 Pro (iOS 26.0.1), although successful code execution on these platforms has not been demonstrated—likely owing to supplementary pre-validation mechanisms for audio files.

ChromeOS was likewise affected; the vulnerability was remediated in the ChromeOS update of 18 September 2025, and Microsoft issued a corresponding patch.

To illustrate the attack, researchers crafted a file named dolby_android_crash.mp4 that can be embedded within an audio message. By replacing the temporary file in the RCS messenger cache (/data/user/0/com.google.android.apps.messaging/cache/mediascratchspace/) with the malicious MP4 via ADB, the act of sending the message will crash the victim device’s C2 process.

Project Zero emphasizes that the disclosure followed its standard 90-day public disclosure policy. Although an initial embargo deadline of 24 September 2025 was communicated, the final disclosure date was set to 25 September to account for time-zone differences. The advisory was made public 30 days after the vendor patches were released, in accordance with the Project Zero disclosure guidelines.

Investigation into potential exploitation continues, and Google has pledged to publish the full technical details of the zero-click attack after the ongoing analysis is complete.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy