Android’s January 2026 update fixes CVE-2025-54957, a critical Dolby audio decoder flaw discovered by Google researchers in October 2025.
A critical Dolby audio decoder vulnerability, tracked as CVE-2025-54957, was addressed in the January 2026 Android security update. Google fixed the flaw in December 2025 for Pixel phones and has now rolled out the fix to all Android devices.
The flaw in Dolby DD+ decoders (UDC v4.5–v4.13) can cause an out-of-bounds write when processing a specially crafted DD+ bitstream, potentially increasing risk on Android devices, including Pixel, if chained with other vulnerabilities.
“An out of bounds write within UDC v4.5 -> UDC v4.13 may occur when a unique Dolby Digital Plus (DD+) bitstream is processed by a DD+ decoder. This issue does not occur with a standard DD+ bitstream but only when a manually edited (though “valid”) bitstream is created. Dolby authoring tools are incapable of creating this type of bitstream.” reads the advisory. “We are aware of a report found with Google Pixel devices indicating that there is a possible increased risk of vulnerability if this bug is used alongside other known Pixel vulnerabilities. Other Android mobile devices could be at risk of similar vulnerabilities”
Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered the vulnerability in October 2025.
Google Project Zero researchers state that an integer overflow can cause an out-of-bounds write, potentially overwriting pointers. On Android, it’s a 0-click bug because audio is decoded automatically.
“When a file is processed by Dolby’s DDPlus Unified Decoder, an out of bounds write is possible when the evolution data is processed. The decoder writes evolution information into a large, heap-like contiguous buffer contained by a larger struct, and the length calculation for one write can overflow due to integer wrap. This leads to the ‘allocated’ buffer to be too small, and the out-of-bounds check of the subsequent write to be ineffective. This can allow later members of the struct to be overwritten, including a pointer that is written to when the next syncframe is processed.” reads the report published by Google Project Zero. “On Android, this is a 0-click vulnerability, as Android locally decodes all incoming audio messages and audio attachments for transcription, using this decoder, without the user interacting with the device. This code is present on MacOS, but it is not clear whether this bug is reachable due to pre-processing checks.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-54957)
