Google Fixes Critical Dolby Decoder Bug in Android January Update

The Dolby DD+ decoder vulnerability, tracked as CVE-2025-54957, stems from an integer overflow that corrupts a heap‑adjacent buffer within Unified Decoder components (UDC v4.5‑v4.13). When a maliciously edited but technically valid DD+ bitstream is decoded, the length calculation wraps, causing the decoder to write beyond its allocated memory. This type of flaw is especially dangerous in media libraries because audio decoding runs automatically on most smartphones, providing a low‑visibility attack surface that researchers at Google Project Zero highlighted in late 2025.

On Android, the bug qualifies as a 0‑click exploit: the operating system automatically decodes incoming audio messages and attachments for transcription, meaning an attacker can trigger the out‑of‑bounds write without any user interaction. By overwriting adjacent pointers, a malicious actor could achieve arbitrary code execution, particularly if the exploit is chained with other known Pixel vulnerabilities. While the issue does not affect standard Dolby‑generated streams, the ability to craft a malicious payload with common audio tools makes it a realistic threat for both end‑users and enterprise‑managed devices.

Google’s response—first a Pixel‑only patch in December 2025 followed by a universal rollout in the January 2026 security bulletin—demonstrates the importance of rapid vulnerability disclosure and coordinated patch distribution. The broad update protects the extensive Android device base, reinforcing the platform’s security posture amid increasing supply‑chain attacks. OEMs are urged to prioritize timely adoption of Google’s security patches and to audit third‑party codec implementations, ensuring that similar decoder flaws are identified and mitigated before they reach production devices.