A high-severity vulnerability in Dolby’s Unified Decoder could be exploited for remote code execution, without user interaction in certain cases.

Built on top of the Dolby Digital Plus (DD+) standard, the Unified Decoder is a software/hardware component used for processing DD+, Dolby AC-4, and other audio formats, converting them into formats that can be played back through speakers.

The decoder, Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered, was impacted by an out-of-bounds write issue that could be triggered during the processing of evolution data.

“The decoder writes evolution information into a large, heap-like contiguous buffer contained by a larger struct, and the length calculation for one write can overflow due to integer wrap,” Silvanovich explains.

This, she notes, results in the allocated buffer being too small and in an ineffective out-of-bounds check of the subsequent write.

“This can allow later members of the struct to be overwritten, including a pointer that is written to when the next syncframe is processed,” she notes.

Tracked as CVE-2025-54957 (CVSS score of 7.0), the security defect can be triggered using malicious audio messages, leading to remote code execution.

On Android, the vulnerability can be exploited remotely without user interaction, because all audio messages and attachments are decoded locally using Dolby’s Unified Decoder, Silvanovich says.

The security researcher has published proof-of-concept (PoC) exploit code demonstrating how the bug can be exploited to trigger a process crash on Android devices (Pixel 9 and Samsung S24), as well as on macOS and iOS.

“We investigated the exploitability of this bug on Android, and have achieved 0-click code execution in the mediacodec context on a Pixel 9 running version 16 BP2A.250605.031.A2,” Silvanovich notes.

Google Project Zero reported the security defect to Dolby Laboratories in June and released information on it after a 90-day disclosure deadline passed and fixes were rolled out.

Microsoft resolved the flaw as part of its October Patch Tuesday updates, noting that user interaction is required for successful exploitation on Windows. Last week, Google said patches were included in the latest ChromeOS updates.

Related: ‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

Related: In Other News: CrowdStrike Vulnerabilities, CISA Layoffs, Mango Data Breach

Related: Security Firm Exposes Role of Beijing Research Institute in China’s Cyber Operations

Related: Watch Now: Why Context is a Secret Weapon in Application Security Posture Management