Dolby Audio Bug Flagged by CERT-In; Android Users Warned

India’s national cyber security agency has advised Android smartphone users to promptly install the latest system updates after Google fixed a security vulnerability linked to Dolby audio software. The advisory was issued by the Indian Computer Emergency Response Team (CERT-In) following Google’s release of its January security patch.

According to CERT-In, the vulnerability affected the Dolby Digital Plus Unified Decoder, a component used in several Android devices. The flaw was first identified in October 2025 and could allow unauthorised access to affected systems. In certain scenarios, attackers were able to execute commands on a device remotely without any action from the user. Reports also suggested that the same weakness had implications for some Windows systems.

Google addressed the Dolby-related issue in its January update, and CERT-In has urged users to apply the patch as soon as it becomes available for their devices to minimise potential risks. The advisory applies to both individual users and organisations using Android devices.

Potential impact on users

CERT-In warned that the flaw could be exploited by attackers to run commands on targeted devices from remote locations. Such access could disrupt normal device operations and compromise stored data. The agency also cautioned that unpatched systems could face memory-related issues.

In its January 5 security bulletin, Google confirmed that the update resolves the vulnerability in Dolby components, noting that the assessment was provided by Dolby. Subsequently, Dolby issued its own advisory detailing the technical nature of the flaw.

Dolby explained that certain versions of its DD+ Unified Decoder, including versions 4.5 and 4.13, could write data beyond permitted memory limits when processing specific audio streams. This behaviour could potentially allow attackers to take control of affected devices, including some Google Pixel models and other Android smartphones.

Discovery by security researchers

The vulnerability was discovered by researchers from Google’s Project Zero team in October 2025. Their findings showed that the flaw could be triggered without requiring users to click on links or open media files, making it particularly difficult to detect.

Dolby stated that, in many instances, the issue resulted in media applications crashing or restarting, and it had not observed widespread exploitation at the time of issuing its advisory. Nevertheless, CERT-In emphasised that users should treat the risk seriously.

The agency has advised users to check for system updates through their device settings and install the latest versions released by manufacturers. It also recommended keeping automatic updates enabled to ensure the timely delivery of future security patches.