11/69 Thursday, January 8, 2026
Google has released the January 2026 Android security update to address a critical vulnerability in the Dolby Digital Plus (Dolby DD+) audio decoder, tracked as CVE-2025-54957. The flaw is rated Critical and was originally discovered by researchers from Google Project Zero in October 2025. Google had previously begun rolling out a fix to Pixel devices in December 2025, before extending the patch to all Android devices through the latest update.
The vulnerability affects Dolby DD+ Unified Decoder (UDC) versions 4.5 through 4.13 and can lead to an out-of-bounds write when processing specially crafted-but still valid-DD+ audio files. The issue stems from an integer overflow during length calculation, resulting in insufficient memory allocation and ineffective bounds checking. This condition may allow overwriting of critical data structures or memory pointers, increasing the risk of exploitation-especially when chained with other vulnerabilities on Android devices.
Google researchers noted that, on Android, this issue qualifies as a “zero-click vulnerability”, as the system may automatically decode received audio files-such as voice messages or audio attachments-for processing or transcription without any user interaction. This significantly elevates the risk. Google therefore strongly recommends that users and administrators update Android devices to the latest version as soon as possible to mitigate the threat posed by this vulnerability.
