Zero-Click Remote Code Execution Vulnerability in Dolby Audio Decoder
A critical zero-click remote code execution (RCE) vulnerability has been discovered in the Dolby Unified Decoder, a widely used audio format processing component present in Android, iOS, and macOS devices. The flaw, tracked as CVE-2025-54957, is a high-severity out-of-bounds write issue that can be exploited by threat actors through maliciously crafted audio messages. According to Google Project Zero researchers Ivan Fratric and Natalie Silvanovich, the vulnerability arises from improper handling of evolution data within the decoder. Specifically, the decoder writes evolution information into a large, heap-like buffer, but a flaw in the length calculation due to integer wrap can result in overwriting later members of the struct, including critical pointers. This memory corruption can be triggered without any user interaction, making it a zero-click attack vector, particularly on Android devices. The vulnerability allows attackers to execute arbitrary code remotely, posing a significant risk to affected systems. Google has responded by releasing patches for ChromeOS to address the issue, demonstrating the cross-platform impact of the vulnerability. Microsoft has also included a fix for the flaw in its latest Patch Tuesday updates, indicating that Windows systems utilizing the Dolby decoder may also be at risk. The vulnerability's zero-click nature means that users could be compromised simply by receiving a malicious audio file, without needing to open or interact with it. Security researchers emphasize the importance of promptly applying available patches to mitigate the risk of exploitation. The discovery highlights the ongoing challenges in securing complex multimedia processing components, which are often integrated into a wide range of consumer and enterprise devices. The flaw's technical details, including the specific buffer overflow mechanism and the potential for pointer overwrites, underscore the sophistication required to both discover and exploit such vulnerabilities. The coordinated disclosure and rapid patching efforts by Google and Microsoft reflect the seriousness of the threat. Organizations are advised to review their exposure to the Dolby Unified Decoder and ensure all relevant updates are applied. The incident serves as a reminder of the critical need for robust security testing in third-party components embedded within operating systems and applications. Ongoing monitoring for exploitation attempts is recommended, as threat actors may attempt to reverse-engineer the patches to develop working exploits. The vulnerability's impact across multiple platforms increases its attractiveness to attackers, making timely remediation essential for both individual users and enterprises.
Sources
Related Stories
Critical Zero-Click RCE Vulnerability (CVE-2025-48593) in Android System Component
Google released a security update in November 2025 to address a critical remote code execution vulnerability, CVE-2025-48593, in the Android System component. This flaw allows attackers to execute code remotely on affected devices running Android versions 13 through 16 without requiring user interaction or additional execution privileges. The vulnerability stems from insufficient validation of user input, making it possible for exploitation via a zero-click attack vector. The update also addressed a separate privilege escalation issue, CVE-2025-48581, affecting Android 16, but the primary concern is the zero-click RCE, which requires immediate patching due to its severity. Google has stated that there is no evidence of active exploitation in the wild at the time of the update. Security experts urge all users and organizations to apply the November 2025 security patch promptly to mitigate the risk posed by this critical vulnerability.
4 months agoCritical RCE Vulnerability in Windows Imaging Component (CVE-2025-50165)
A critical vulnerability, CVE-2025-50165, was discovered in the Windows Imaging Component (WIC), specifically within the WindowsCodecs.dll library. The flaw arises from the dereferencing of an uninitialized function pointer during the compression and re-encoding of JPEG images with 12-bit or 16-bit color depth, rather than during standard image decoding or rendering. Security researchers from ESET and Zscaler have analyzed the vulnerability, confirming that it could potentially allow remote code execution if a specially crafted JPEG file is processed by a vulnerable application that performs re-encoding, such as during thumbnail creation. Despite the initial classification as a critical remote code execution risk, further technical analysis indicates that real-world exploitation is significantly constrained. Successful exploitation requires a precise set of conditions: the target application must use a vulnerable version of WindowsCodecs.dll and must re-encode, not just display, a malicious JPEG file. Simply opening or viewing a crafted image is insufficient to trigger the vulnerability, reducing the likelihood of mass exploitation. Microsoft has released a patch, and security experts recommend applying it, but the practical risk is lower than originally feared due to the complexity of the attack scenario.
2 months agoMultiple Critical Vulnerabilities Disclosed Across Major Software and Hardware Platforms
Several critical vulnerabilities have been disclosed affecting a range of widely used software frameworks and hardware platforms. Notable issues include a critical flaw in the Apache bRPC framework (CVE-2025-59789) that exposes high-performance systems to crash risks, a high-severity unauthenticated XXE vulnerability in GeoServer (CVE-2025-58360) enabling file theft and SSRF, and a critical SQL injection vulnerability in Devolutions Server (CVE-2025-13757) that allows authenticated attackers to steal all stored passwords. Additional disclosures include a proof-of-concept exploit for a Windows Administrator Protection elevation of privilege vulnerability (CVE-2025-60718), a critical boot process compromise in Snapdragon 8 Gen 3 and 5G modems (CVE-2025-47372), and a flaw in Apache Kvrocks that allows privilege escalation via the 'RESET' command. A separate high-severity vulnerability (CVE-2025-61618) was identified in Unisoc T8100/T9100/T8200/T8300 chipsets, affecting Android devices and allowing remote denial of service through improper input validation in the NR modem. These vulnerabilities collectively highlight the ongoing risk posed by both software and hardware flaws, with several enabling remote code execution, privilege escalation, or denial of service. Organizations using affected products should prioritize patching and mitigation efforts to reduce exposure to these critical threats.
3 months ago