Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Dolby Vulnerability Patched in Android

The flaw is tracked as CVE-2025-54957 and its existence came to light in October 2025 after it was discovered by Google researchers.

Android vulnerability

The January 2026 Android update patches a single vulnerability, a critical Dolby audio decoder issue whose existence came to light in October 2025.

The flaw, tracked as CVE-2025-54957, was described at the time of its disclosure as a medium-severity out-of-bounds write issue impacting the widely used Dolby Digital Plus (DD+) Unified Decoder. 

The vulnerability, exploitable using specially crafted media files, was discovered by Google researchers and reported to Dolby in June 2025, with a patch released in September. 

The vulnerability started making headlines in October, after Google made public technical details and Microsoft announced patching the security hole in Windows. 

In most cases, the vulnerability can lead to a crash or restart, which Google researchers have demonstrated on Pixel 9, Samsung S24, MacBook Air M1, and iPhone 17 Pro devices.

However, the researchers discovered that zero-click remote code execution can be achieved on Android devices. As a result, a critical severity rating has been assigned to CVE-2025-54957 on Android.

Advertisement. Scroll to continue reading.

“On Android OS, audio attachments and voice messages are decoded locally; therefore, the flaw can be exploited without any user interaction,” explained Adam Boynton, senior security strategy manager at mobile device management and security firm Jamf.

Google included a patch for the flaw in its December 2025 update for Pixel phones, and the tech giant has now rolled out a patch for all Android devices.

The January 2026 Android security bulletin does not describe any other vulnerability. No Pixel, Android Automotive OS, or Wear patches have been released this month.    

Related: Android Zero-Days Patched in December 2025 Security Update

Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day

Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.