A essential zero-click vulnerability in Dolby Digital Plus (DDP) audio decoding software program has been disclosed, permitting attackers to execute malicious code remotely through seemingly innocuous audio messages.
Google Mission Zero’s Ivan Fratric and Natalie Silvanovich have recognized an out-of-bounds write flaw within the DDPlus Unified Decoder, which processes evolution information in audio recordsdata.
This bug stems from an integer overflow in size calculations, resulting in an undersized buffer allocation. In consequence, subsequent writes bypass bounds checks, probably overwriting key struct members, together with pointers processed within the subsequent syncframe.
The difficulty impacts gadgets working the decoder, with extreme implications for Android customers attributable to automated audio processing.
The vulnerability, detailed in a latest bug report, highlights how fashionable messaging apps unwittingly expose customers to distant code execution (RCE). On Android, the flaw allows assaults with none person interplay.
Incoming RCS (Wealthy Communication Companies) audio messages and attachments are decoded regionally for transcription functions, triggering the bug silently within the background.
Potential Exploitation on Android Units
Android gadgets are notably in danger as a result of the Google Messages app and related shoppers use the DDPlus decoder to deal with audio content material proactively.
Attackers might craft malicious audio recordsdata, reminiscent of these in .ec3 or .mp4 codecs, and ship them through RCS. As soon as acquired, the goal’s machine processes the file routinely, probably resulting in a crash within the C2 (Codec 2.0) course of or worse, arbitrary code execution if exploited additional.
Replica is simple for testers: By pushing a specifically crafted file like “dolby_android_crash.mp4” into the messaging app’s cache on a sending machine and initiating an RCS voice message, the goal machine crashes upon receipt.
Researchers supplied pattern bitstreams, together with one which targets 32-bit techniques and one other for 64-bit Android. This ease of exploitation underscores the urgency, as no person motion like opening or taking part in the file is required.
In real-world eventualities, phishing campaigns or focused assaults through messaging might weaponize this for information theft, malware implantation, or machine takeover.
Whereas patches stay unclear as of this report, Android customers are suggested to replace their gadgets and messaging apps promptly. Google has not but commented, however the 90-day disclosure window ended on September 24, 2025, making particulars public.
The flaw extends past Android; code evaluation reveals its presence in macOS implementations, although pre-processing steps might forestall exploitation there.
Researchers are persevering with to probe affected platforms, together with potential impacts on iOS or different Dolby-integrated techniques like good TVs and streaming gadgets.
volution information dealing with in DDP, designed for enhanced audio options, sarcastically turns into a vector for abuse on this case.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
