Vulnerabilities

Critical Dolby Vulnerability Patched in Android

The flaw is tracked as CVE-2025-54957 and its existence came to light in October 2025 after it was discovered by Google researchers.

Android vulnerability

The January 2026 Android update patches a single vulnerability, a critical Dolby audio decoder issue whose existence came to light in October 2025.

The flaw, tracked as CVE-2025-54957, was described at the time of its disclosure as a medium-severity out-of-bounds write issue impacting the widely used Dolby Digital Plus (DD+) Unified Decoder. 

The vulnerability, exploitable using specially crafted media files, was discovered by Google researchers and reported to Dolby in June 2025, with a patch released in September. 

The vulnerability started making headlines in October, after Google made public technical details and Microsoft announced patching the security hole in Windows. 

In most cases, the vulnerability can lead to a crash or restart, which Google researchers have demonstrated on Pixel 9, Samsung S24, MacBook Air M1, and iPhone 17 Pro devices.

However, the researchers discovered that zero-click remote code execution can be achieved on Android devices. As a result, a critical severity rating has been assigned to CVE-2025-54957 on Android.

Advertisement. Scroll to continue reading.

“On Android OS, audio attachments and voice messages are decoded locally; therefore, the flaw can be exploited without any user interaction,” explained Adam Boynton, senior security strategy manager at mobile device management and security firm Jamf.

Google included a patch for the flaw in its December 2025 update for Pixel phones, and the tech giant has now rolled out a patch for all Android devices.

The January 2026 Android security bulletin does not describe any other vulnerability. No Pixel, Android Automotive OS, or Wear patches have been released this month.    

Related: Android Zero-Days Patched in December 2025 Security Update

Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day

Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones

Related Content

Vulnerabilities

The privilege escalation vulnerability tracked as CVE-2026-50656 has been patched with a Microsoft Malware Protection Engine update.

Artificial Intelligence

Wiz has disclosed the details of a new AI coding assistant attack method it has dubbed GhostApproval.

Vulnerabilities

The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google.

Vulnerabilities

Tracked as CVE-2026-11405, the vulnerability allows unauthenticated attackers to access a device's web management interface.

Artificial Intelligence

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same...

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Vulnerabilities

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets.

Vulnerabilities

Hackers are exploiting a recently patched critical vulnerability (CVE-2026-48282) in Adobe ColdFusion that carries a CVSS score of 10/10.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version