The Zero-Click Dolby Digital Plus vulnerability was first reported in October 2025.
CERT-In said that the issue was exploited to target individuals and organisations using Android phones.
Photo Credit: Unsplash/ Daniel Romero
Android smartphone owners have been advised by the Indian Computer Emergency Response Team (CERT-In) to download the latest Android update on their handsets. The latest security update from Google fixes a “critical” security flaw related to the Dolby audio bug. First discovered in October 2025, the “Zero-Click” Dolby Digital Plus (DD+) Unified Decoder vulnerability gave unauthorised access to bad actors, who were then able to execute code from their systems. The issue reportedly also impacted Windows devices. With its January security patch, Google has fixed the issue that put the privacy of many Android users at risk.
In its advisory note CIVN–2026-0016, which was issued on Wednesday, the cybersecurity watchdog has advised Android users to download the latest OS update, which patches the “critical” Dolby DD+ Unified Decoder security vulnerability on the phones. CERT-In warned that the said vulnerability could be exploited by hackers and other bad actors to execute “arbitrary” code on the targeted device remotely. Hackers can potentially corrupt the memory systems of the devices of organisations and individuals.
In its January 5 security bulletin, Google announced that its latest January security patch fixes the Dolby components-related vulnerability that was first reported in October 2025. The tech giant, while acknowledging the issue, said that the severity assessment was provided by Dolby.
Additionally, Dolby also issued a security advisory, detailing that an “out-of-bound” write within Dolby's DD+ Unified Decorder version 4.5 and 4.13 could occur while processing a “unique” DD+ bistream. The company also said that it was aware that this particular bug can potentially be exploited to remotely execute code on certain Google Pixel models and other Android devices.
However, at the time of issuing the security advisory, Dolby claimed that the risk of the bug being used for malicious purposes was low. It added that the bug was “most commonly” observed to result in a media player crash or restart.
In October 2025, Google's Project Zero, a group of security researchers, discovered that the Dolby DD+ Unified Decoder bug could be exploited for executing code on an Android device remotely. The researchers dubbed it a zero-click exploit, as it could be run by bad actors without requiring the victim to click on a link or open a media file.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.