A critical vulnerability in Dolby audio decoders (CVE-2025-54957) was patched in the January 2026 Android security update, affecting devices including Pixel. Researchers warn this flaw could lead to out-of-bounds write exploits, especially when combined with other vulnerabilities. #DolbyDDplus #AndroidSecurity
Keypoints
- The vulnerability involves an out-of-bounds write in Dolby DD+ decoders when processing crafted bitstreams.
- It was discovered by Google Project Zero researchers Ivan Fratric and Natalie Silvanovich in October 2025.
- The flaw mainly affects Android devices, including Pixel phones, but may also impact macOS.
- Attackers can exploit this bug without user interaction due to automatic audio decoding on Android.
- Google rolled out fixes for Pixel devices in December 2025 and for all Android devices in January 2026.