Android smartphone users have been advised by the Indian Computer Emergency Response Team (CERT-In) to immediately install the latest Android security update on their devices. The warning follows Google’s release of a patch that fixes a “critical” security vulnerability linked to a Dolby audio bug that could put user privacy at serious risk.
According to CERT-In, the issue is related to a Zero-Click Dolby Digital Plus (DD+) Unified Decoder vulnerability that was first identified in October 2025. The flaw allowed unauthorised actors to remotely execute code on affected devices without any user interaction. The vulnerability was reported to impact Android smartphones and Windows devices.
In its advisory CIVN–2026-0016 issued on Wednesday, CERT-In said the latest Android OS update addresses the Dolby DD+ Unified Decoder security issue. The agency warned that the flaw could be exploited by hackers to execute “arbitrary” code remotely on targeted devices. Such attacks could also lead to memory corruption, affecting both individual users and organisations.
Google, in its January 5 security bulletin, confirmed that the January security patch resolves the Dolby-related vulnerability. The company noted that the severity assessment for the issue was provided by Dolby.
Dolby also released a separate security advisory explaining that an “out-of-bound” write could occur in Dolby’s DD+ Unified Decoder versions 4.5 and 4.13 when processing a “unique” DD+ bitstream. According to the advisory, this flaw could potentially be exploited to remotely execute code on certain Google Pixel models and other Android devices.
At the time of issuing the advisory, Dolby stated that the likelihood of the bug being used for malicious purposes was low. The company added that the issue most commonly resulted in media player crashes or device restarts.
Earlier, in October 2025, security researchers from Google’s Project Zero discovered that the Dolby DD+ Unified Decoder vulnerability could be used as a zero-click exploit. This meant attackers could trigger the flaw without requiring users to click on any links or open media files.
CERT-In has urged users to apply the latest updates without delay to protect their devices from potential exploitation.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
