This "zero-click" flaw allows hackers to potentially control your phone without any user interaction, by exploiting how Android automatically decodes audio.

India's cybersecurity agency has urged Android users to immediately install the latest security updates after Google patched a vulnerability in Dolby audio technology that could allow hackers to take control of phones without any user interaction.
The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology, issued advisory CIVN–2026-0016 this week, warning that the flaw in the Dolby Digital Plus (DD+) Unified Decoder could be exploited to execute "arbitrary code" on targeted devices. The agency classified the risk as high, noting that both individuals and organisations using Android are vulnerable.
Also Read
A Zero-Click Threat
The vulnerability, tracked as CVE-2025-54957, was first discovered by Google Project Zero researchers Ivan Fratric and Natalie Silvanovich in October 2025. Security researchers classified it as a zero-click exploit because attackers do not require victims to tap a link, open a file, or install an application. On Android, the bug is particularly dangerous because the operating system automatically decodes incoming audio messages for transcription, triggering the vulnerability without user involvement.
The flaw exists in Dolby DD+ Unified Decoder versions 4.5 through 4.13. According to Dolby's security advisory, the issue stems from an "out-of-bounds write" error that occurs when a specially crafted audio bitstream is processed. This can allow attackers to overwrite adjacent memory and potentially gain control of affected devices, including some Google Pixel models.
While Dolby stated in its October advisory that the risk of malicious exploitation was "low" and that the most common outcome was "a media player crash or restart," the company acknowledged "a possible increased risk of vulnerability if this bug is used alongside other known Pixel vulnerabilities".
A Zero-Click Threat
The vulnerability, tracked as CVE-2025-54957, was first discovered by Google Project Zero researchers Ivan Fratric and Natalie Silvanovich in October 2025. Security researchers classified it as a zero-click exploit because attackers do not require victims to tap a link, open a file, or install an application. On Android, the bug is particularly dangerous because the operating system automatically decodes incoming audio messages for transcription, triggering the vulnerability without user involvement.
The flaw exists in Dolby DD+ Unified Decoder versions 4.5 through 4.13. According to Dolby's security advisory, the issue stems from an "out-of-bounds write" error that occurs when a specially crafted audio bitstream is processed. This can allow attackers to overwrite adjacent memory and potentially gain control of affected devices, including some Google Pixel models.
While Dolby stated in its October advisory that the risk of malicious exploitation was "low" and that the most common outcome was "a media player crash or restart," the company acknowledged "a possible increased risk of vulnerability if this bug is used alongside other known Pixel vulnerabilities".
Published: 15 Jan 2026, 10:08 pm IST
Related Topics
Subscribe to our Newsletter
Get Latest Mathrubhumi Updates in English
Disclaimer: Kindly avoid objectionable, derogatory, unlawful and lewd comments, while responding to reports. Such comments are punishable under cyber laws. Please keep away from personal attacks. The opinions expressed here are the personal opinions of readers and not that of Mathrubhumi.

