Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: High-severity vulnerability in Dolby Unified Decoder codec impacting multiple operating systems. Patch as soon as possible!
Image
Gepubliceerd : 21/10/2025
- Last update: 21/10/2025
- Affected software: Dolby Unified Decoder 4.5 through 4.13
- Type: Deserialization of Untrusted Data
- CVE/CVSS
→ CVE-2025-54957: CVSS 7.0 HIGH (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Sources
Google Project Zero - https://project-zero.issues.chromium.org/issues/428075495
Risks
Google's Project Zero team has discovered a vulnerability in the Dolby Unified Decoder.
This vulnerability has a downstream impact on multiple operating systems, including:
- Android (0-click)
- iOS
- Windows
- MacOS
- ChromeOS.
Exploiting this vulnerability allows an unauthorised attacker to execute code locally.
On most impacted operating systems, an attacker must send the user a malicious file and convince them to open it.
On Android, however, this is a 0-click vulnerability, as Android locally decodes all incoming audio messages and audio attachments for transcription, using this decoder, without the user interacting with the device.
Description
When a file is processed by Dolby's DDPlus Unified Decoder, an out of bounds write is possible when the evolution data is processed.
The decoder writes evolution information into a large, heap-like contiguous buffer contained by a larger struct, and the length calculation for one write can overflow due to integer wrap.
This leads to the 'allocated' buffer to be too small, and the out-of-bounds check of the subsequent write to be ineffective.
This can allow later members of the struct to be overwritten, including a pointer that is written to when the next syncframe is processed.
Recommended Actions
Patch as soon as your OS vendor makes an update available
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
The following vendors/products released patches:
- Microsoft Windows: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54957
- Google ChromeOS: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-chromeos_18.html
We will update this advisory if we observe additional operating systems addressing this vulnerability.
Notify your users
The CCB recommends warning your users to be careful with opening media files coming from untrusted, unexpected locations or senders.
For Android: consider disabling the RCS feature to reduce the attack surface.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
Microsoft’s Advisory - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54957