A significant security flaw has been identified in the Dolby Digital Plus (DDP) audio decoding software, potentially allowing attackers to execute malicious code remotely through seemingly harmless audio messages. This zero-click vulnerability, meaning it requires no user interaction to be exploited, poses a substantial threat to devices utilizing the DDP decoder, particularly those running on the Android operating system.
Discovery and Technical Details
Security researchers Ivan Fratric and Natalie Silvanovich from Google’s Project Zero team uncovered an out-of-bounds write flaw within the DDPlus Unified Decoder. This component is responsible for processing evolution data in audio files. The vulnerability arises from an integer overflow during length calculations, leading to the allocation of an undersized buffer. Consequently, subsequent data writes can bypass boundary checks, potentially overwriting critical structure members, including pointers that are processed in the following synchronization frame.
Implications for Android Users
The vulnerability’s impact is especially severe for Android users due to the operating system’s automatic audio processing capabilities. Modern messaging applications, such as Google Messages, proactively handle incoming audio content. This proactive processing means that malicious audio files can trigger the vulnerability without any user action, making it a zero-click exploit.
Attackers can craft malicious audio files in formats like .ec3 or .mp4 and send them via Rich Communication Services (RCS). Upon receipt, the target device processes the file automatically, which can lead to a crash in the Codec 2.0 (C2) process. In more severe cases, if the vulnerability is further exploited, it could result in arbitrary code execution, granting attackers control over the device.
Exploitation Scenarios
The ease of exploitation is concerning. For instance, testers can reproduce the issue by placing a specially crafted file named dolby_android_crash.mp4 into the messaging app’s cache on a sending device and then initiating an RCS voice message. The target device crashes upon receiving the message. Researchers have provided sample bitstreams targeting both 32-bit and 64-bit Android systems, highlighting the vulnerability’s broad applicability.
In real-world scenarios, attackers could leverage this vulnerability through phishing campaigns or targeted attacks via messaging platforms. Such exploitation could lead to data theft, malware installation, or complete device takeover.
Current Status and Recommendations
As of the latest reports, it remains unclear whether patches have been released to address this vulnerability. The 90-day disclosure window ended on September 24, 2025, making the details public. Android users are strongly advised to update their devices and messaging applications promptly to mitigate potential risks. While Google has not yet provided an official statement, staying vigilant and ensuring all software is up-to-date is crucial.
Broader Impact
The vulnerability is not confined to Android devices. Code analysis indicates its presence in macOS implementations of the DDP decoder. However, pre-processing steps in macOS may prevent exploitation. Researchers are actively investigating other platforms that integrate Dolby technologies, including iOS devices, smart TVs, and streaming devices, to assess the full scope of the vulnerability.
Understanding Evolution Data in DDP
The evolution data handling feature in DDP is designed to enhance audio capabilities by allowing dynamic adjustments and improvements in sound quality. Ironically, this feature has become a vector for exploitation in this case. The flaw underscores the importance of rigorous security assessments in software components that handle complex data processing tasks.
Conclusion
The discovery of this zero-click vulnerability in Dolby Digital Plus highlights the evolving nature of cybersecurity threats. Users must remain proactive in updating their devices and applications to protect against potential exploits. Additionally, software developers and vendors should prioritize security in the design and implementation of features, especially those involving automatic data processing, to prevent similar vulnerabilities in the future.
