A critical zero-click vulnerability in Dolby Digital Plus (DDP) audio decoding software has been disclosed, allowing attackers to execute malicious code remotely via seemingly innocuous audio messages.
Google Project Zero’s Ivan Fratric and Natalie Silvanovich have identified an out-of-bounds write flaw in the DDPlus Unified Decoder, which processes evolution data in audio files.
This bug stems from an integer overflow in length calculations, leading to an undersized buffer allocation. As a result, subsequent writes bypass bounds checks, potentially overwriting key struct members, including pointers processed in the next syncframe.
The issue affects devices running the decoder, with severe implications for Android users due to automatic audio processing.
The vulnerability, detailed in a recent bug report, highlights how modern messaging apps unwittingly expose users to remote code execution (RCE). On Android, the flaw enables attacks without any user interaction.
Incoming RCS (Rich Communication Services) audio messages and attachments are decoded locally for transcription purposes, triggering the bug silently in the background.
Potential Exploitation on Android Devices
Android devices are particularly at risk because the Google Messages app and similar clients use the DDPlus decoder to handle audio content proactively.
Attackers could craft malicious audio files, such as those in .ec3 or .mp4 formats, and send them via RCS. Once received, the target’s device processes the file automatically, potentially leading to a crash in the C2 (Codec 2.0) process or worse, arbitrary code execution if exploited further.
Reproduction is straightforward for testers: By pushing a specially crafted file like “dolby_android_crash.mp4” into the messaging app’s cache on a sending device and initiating an RCS voice message, the target device crashes upon receipt.
Researchers provided sample bitstreams, including one that targets 32-bit systems and another for 64-bit Android. This ease of exploitation underscores the urgency, as no user action like opening or playing the file is required.
In real-world scenarios, phishing campaigns or targeted attacks via messaging could weaponize this for data theft, malware implantation, or device takeover.
While patches remain unclear as of this report, Android users are advised to update their devices and messaging apps promptly. Google has not yet commented, but the 90-day disclosure window ended on September 24, 2025, making details public.
The flaw extends beyond Android; code analysis reveals its presence in macOS implementations, though pre-processing steps may prevent exploitation there.
Researchers are continuing to probe affected platforms, including potential impacts on iOS or other Dolby-integrated systems like smart TVs and streaming devices.
volution data handling in DDP, designed for enhanced audio features, ironically becomes a vector for abuse in this case.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
