Episode 299

Google Project Zero Exposes Dolby Decoder Flaw Enabling Zero-Click Android Exploits

October 20, 202521m 44s

Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

A newly discovered vulnerability in Dolby’s Unified Decoder has sent shockwaves through the cybersecurity world. Tracked as CVE-2025-54957, the flaw — uncovered by Google Project Zero — is a critical out-of-bounds write vulnerability that allows remote code execution (RCE) when a specially crafted audio file is decoded. The issue stems from an integer overflow in the decoder’s buffer length calculation, leading to memory corruption that can be exploited by attackers.

What makes this flaw particularly dangerous is its potential for zero-click exploitation on Android. Because Android automatically decodes incoming audio messages using Dolby’s Unified Decoder, attackers can trigger the exploit simply by sending a malicious audio file — no user interaction required. In controlled tests, Google’s researchers demonstrated full code execution within the media codec context on modern Android devices, including the Pixel 9 and Samsung S24.

The impact, however, varies across platforms. Windows users are somewhat safer, as Microsoft confirmed user interaction is needed for successful exploitation. macOS and iOS users face a lesser — but still significant — risk, as the exploit currently causes process crashes rather than full code execution. Nonetheless, this flaw underscores the growing risk of vulnerabilities in multimedia components that are deeply integrated into everyday devices.

The vulnerability’s discovery and disclosure timeline show a coordinated effort between Google, Dolby, and Microsoft, leading to patched updates across major platforms. Still, the event highlights a disturbing trend — how even audio processing routines can become vectors for silent, remote attacks. With the attack surface expanding into unexpected territories like sound decoders, the case of CVE-2025-54957 is a stark reminder that in modern cybersecurity, no data stream is inherently safe.

#CyberSecurity #Dolby #CVE202554957 #GoogleProjectZero #AndroidSecurity #RemoteCodeExecution #BufferOverflow #MemoryCorruption #ZeroClickExploit #Microsoft #Apple #macOS #Windows #VulnerabilityDisclosure #PatchTuesday #Infosec #AudioSecurity #ExploitResearch #MobileSecurity #DigitalSafety #TechNews

Topics

CVE-2025-54957Dolby Unified Decoder vulnerabilityDolby decoder exploitDolby audio vulnerabilityzero-click Android exploitAndroid audio RCEGoogle Project Zero DolbyDolby AC-4 vulnerabilityDolby Digital Plus exploitout-of-bounds write Dolbyinteger overflow audio decoderremote code execution audioAndroid mediacodec exploitPixel 9 exploitSamsung S24 audio vulnCVE 2025 DolbyDolby security patchDolby vulnerability disclosuremultimedia decoder securityaudio codec exploitbuffer overflow decodermemory corruption audiocross-platform audio vulnerabilityWindows Dolby exploit (requires user interaction)macOS Dolby crashiOS Dolby crashPatch Tuesday Dolby fixGoogle ChromeOS Dolby patchhow to patch Dolby decoderdefensive detection Dolby exploitthreat intelligence Dolby CVEzero-click messaging vulnerabilitysecure audio processinghardening mediacodecincident response audio RCEProof-of-Concept DolbyNatalie Silvanovich Ivan Fratric Dolbyexploit mitigation Dolbymedia file RCEexploit chain audio decoderCVE-2025-54957 podcastaudio security podcastinfosec audio vulnerabilitiesvulnerability management Dolby

← All episodes of Daily Security Review