Executive Summary

A critical vulnerability, CVE-2025-54957, has been identified in the Dolby DDPlus Unified Decoder that enables zero-click remote code execution (RCE) attacks, with the most severe impact observed on Android devices. This flaw, discovered by Google Project Zero, can be exploited by sending a specially crafted audio file through messaging applications that support RCS (Rich Communication Services). The vulnerability is present in the Dolby decoder library used across Android, iOS, macOS, ChromeOS, and Windows platforms. However, the zero-click attack vector is unique to Android due to its automatic audio message processing, which allows malicious payloads to be executed without any user interaction. Immediate patching is strongly recommended, as the vulnerability could allow attackers to gain code execution privileges on affected devices, potentially leading to data theft, device compromise, or lateral movement within enterprise environments.

Technical Information

The vulnerability, tracked as CVE-2025-54957, resides in the Dolby DDPlus Unified Decoder component, which is widely integrated into modern operating systems and devices for high-fidelity audio processing. The flaw is classified as an out-of-bounds write resulting from an integer overflow during the parsing of evolution data within Dolby-encoded audio files. Specifically, the decoder miscalculates buffer lengths when handling certain evolution information, leading to insufficient memory allocation. Subsequent operations can then write data outside the allocated buffer, resulting in memory corruption.

On Android, the risk is amplified by the system’s default behavior of automatically decoding all incoming audio messages for transcription purposes, particularly via RCS. This means that a malicious actor can remotely trigger the vulnerability by sending a specially crafted audio file to a target device, with no user interaction required. The exploit executes within the context of the mediacodec process, which is responsible for media decoding on Android. Google Project Zero researchers demonstrated successful zero-click code execution on a Pixel 9 device, confirming the feasibility of the attack.

On other platforms such as iOS, macOS, ChromeOS, and Windows, exploitation requires some degree of user interaction, such as manually playing the malicious audio file. Additional security mechanisms on these platforms may further mitigate the risk, but the underlying vulnerability remains present until patched.

The vulnerability has been assigned a CVSS score of 7.0 (as reported by SecurityOnline.info), reflecting its high impact and ease of exploitation, particularly on Android devices. The attack vector is remote, and the flaw can be weaponized to achieve arbitrary code execution, potentially allowing attackers to install malware, exfiltrate sensitive data, or pivot to other systems within a network.

The technical root cause is an integer overflow in the decoder’s length calculation logic. When parsing evolution information in Dolby-encoded audio, the decoder fails to properly validate the size of the data, resulting in an undersized buffer. This oversight renders subsequent bounds checks ineffective, opening the door to memory corruption and code execution.

Google Project Zero’s proof-of-concept exploit involved sending a malicious audio file via RCS to a Pixel 9 device, which automatically processed the file and triggered the vulnerability. The exploit achieved code execution within the mediacodec process, demonstrating the potential for a fully remote, zero-click attack.

On other platforms, researchers observed process crashes when playing the malicious file on devices such as the Samsung S24, MacBook Air M1, and iPhone 17 Pro, but only Android was confirmed to be zero-click exploitable due to its unique audio processing pipeline.

Exploitation in the Wild

As of the time of this advisory, there are no confirmed reports of exploitation of CVE-2025-54957 in the wild. No public proof-of-concept (PoC) code has been released, and no weaponized exploits have been observed on underground forums or exploit repositories. However, the existence of a working exploit developed by Google Project Zero in a controlled environment underscores the criticality of the vulnerability and the urgent need for remediation.

Security researchers and vendors have not attributed any active campaigns or incidents to this vulnerability. No indicators of compromise (IOCs) specific to in-the-wild exploitation have been published by major threat intelligence vendors, CISA, or MITRE. Nonetheless, the technical simplicity of the exploit and the widespread deployment of the vulnerable decoder make it likely that threat actors will attempt to weaponize the flaw in the near future, especially given the high value of zero-click vulnerabilities in the cybercriminal and APT ecosystem.

APT Groups using this vulnerability

At present, there is no evidence that any known APT (Advanced Persistent Threat) groups or state-sponsored actors are exploiting CVE-2025-54957. Open-source intelligence, vendor advisories, and the MITRE ATT&CK database do not attribute this vulnerability to any specific threat actor or campaign. No sector-specific or country-specific targeting has been observed, and no criminal or state-sponsored group has claimed responsibility for attacks leveraging this flaw.

Given the high value of zero-click vulnerabilities, it is plausible that sophisticated threat actors will seek to incorporate this exploit into their toolkits once public exploit code becomes available or reverse engineering of the patch is completed. Organizations should remain vigilant and monitor for emerging threat intelligence related to this vulnerability.

Affected Product Versions

The Dolby DDPlus Unified Decoder is integrated into a wide range of operating systems and devices. The following product versions are known to be affected, based on open-source reporting and vendor advisories:

For Windows platforms, affected versions include Windows 11 Version 25H2 for x64-based Systems, Windows 11 Version 25H2 for ARM64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 24H2 for ARM64-based Systems, Windows 11 Version 23H2 for x64-based Systems, Windows 11 Version 23H2 for ARM64-based Systems, Windows 11 Version 22H2 for x64-based Systems, Windows 11 Version 22H2 for ARM64-based Systems, Windows 10 Version 22H2 for x64-based Systems, Windows 10 Version 22H2 for ARM64-based Systems, Windows 10 Version 22H2 for 32-bit Systems, Windows 10 Version 21H2 for x64-based Systems, Windows 10 Version 21H2 for ARM64-based Systems, Windows 10 Version 21H2 for 32-bit Systems, Windows 10 Version 1809 for x64-based Systems, Windows 10 Version 1809 for 32-bit Systems, Windows 10 Version 1607 for x64-based Systems, Windows 10 Version 1607 for 32-bit Systems, Windows Server 2025 (Server Core installation), Windows Server 2025, Windows Server 2022, 23H2 Edition (Server Core installation), Windows Server 2022 (Server Core installation), Windows Server 2022, Windows Server 2019 (Server Core installation), Windows Server 2019, Windows Server 2016 (Server Core installation), Windows Server 2016, Windows Server 2012 R2 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 (Server Core installation), Windows Server 2012, Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation), Windows Server 2008 for x64-based Systems Service Pack 2, and Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation), Windows Server 2008 for 32-bit Systems Service Pack 2.

For Android, all devices using the Dolby DDPlus Unified Decoder library are affected, including but not limited to Google Pixel 9, Samsung S24, and other modern Android devices with RCS support.

For iOS, all versions using the Dolby DDPlus Unified Decoder library are affected, such as iPhone 17 Pro and similar models.

For macOS, all versions using the Dolby DDPlus Unified Decoder library are affected, including MacBook Air M1 and similar devices.

For ChromeOS, all versions using the Dolby DDPlus Unified Decoder library are affected.

The exact version numbers for Android, iOS, macOS, and ChromeOS are not published in open sources, but all major and current versions using the Dolby DDPlus Unified Decoder are considered vulnerable.

Workaround and Mitigation

Vendors have released patches and mitigation guidance for all major platforms. For Android, security patches addressing CVE-2025-54957 have been released and are available through the standard update channels. All users and organizations should ensure that their devices are updated to the latest security patch level as soon as possible.

For ChromeOS, the vulnerability has been patched in the September 18, 2025 stable channel update. Users should verify that their devices are running the latest version.

For Windows, Microsoft has published guidance and updates for all supported versions. Administrators should apply the latest cumulative updates to ensure protection.

For macOS and iOS, Apple has issued updates that address the vulnerability. While exploitation on these platforms requires user interaction, it is still critical to apply the patches promptly.

As a general mitigation, organizations should consider disabling automatic audio message processing in messaging applications where feasible, particularly on Android devices, until all patches have been applied. Security teams should monitor for unusual crashes or behavior in the mediacodec process, which may indicate attempted exploitation.

References

Cyber Kendra: Critical Dolby Decoder Flaw Enables Zero-Click Attacks on Billions of Android Devices (https://www.cyberkendra.com/2025/10/critical-dolby-decoder-flaw-enables.html), SecurityOnline.info: Researcher Details Zero-Click RCE in Dolby Audio Decoder (https://securityonline.info/researcher-details-zero-click-rce-in-dolby-audio-decoder-affecting-android-ios-and-macos/), LinkedIn: Vivek Gurung on CVE-2025-54957 (https://www.linkedin.com/posts/vivekgurung_cybersecurity-infosec-android-activity-7384704473291628545-h_V5), Project Zero Issue Tracker (authentication required) (https://project-zero.issues.chromium.org/issues/428075495), Reddit: High-Severity Dolby Decoder Flaw Opens Door to Zero-Click Attacks (https://www.reddit.com/r/pwnhub/comments/1obj48t/highseverity_dolby_decoder_flaw_opens_door_to/), NSFOCUS: Microsoft Security Update in October of High-Risk Vulnerability Notice in Multiple Products (https://nsfocusglobal.com/microsoft-security-update-in-october-of-high-risk-vulnerability-notice-in-multiple-products/), BleepingComputer: Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws (https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2025-patch-tuesday-fixes-6-zero-days-172-flaws/).

Rescana is here for you

Rescana is committed to helping organizations proactively manage and mitigate third-party cyber risk. Our advanced TPRM platform empowers security teams to continuously monitor, assess, and respond to emerging threats across their digital supply chain. If you have any questions about this advisory or require further assistance in understanding your exposure to vulnerabilities like CVE-2025-54957, our experts are ready to help. Please contact us at ops@rescana.com.