Google has issued its January 2026 Android Security Bulletin, urging users to update to the 2026-01-05 patch level or later to mitigate a critical vulnerability in Dolby components.
The standout issue, CVE-2025-54957, targets the Dolby Digital Plus (DD+) codec and could enable out-of-bounds memory writes on affected Android devices.
At the heart of this flaw lies an out-of-bounds write vulnerability in Dolby’s Universal Decoder Core (UDC) versions 4.5 through 4.13. It triggers only when processing a specially crafted DD+ bitstream, one that’s manually edited to be “valid” but non-standard.
Legitimate Dolby authoring tools cannot generate such streams, limiting natural occurrence. However, the bulletin notes a report involving Google Pixel devices in which this bug amplifies risk when combined with other known Pixel-specific vulnerabilities.
“Other Android mobile devices could be at risk of similar vulnerabilities,” Google warns. For non-Pixel hardware, exploitation typically results in a media player crash or device restart, suggesting a low bar for malicious use in isolation.
Severity is rated Critical by Dolby, with full details available via their channels (A-438955204). Patches are already rolling out, and AOSP source code changes will follow within 48 hours of the bulletin’s publication.
This vulnerability underscores ongoing challenges in multimedia codecs, a perennial vector for Android exploits. DD+ decoding handles high-quality audio in apps and streaming services, making it a prime target.
Attackers could embed malicious bitstreams in seemingly benign media files, potentially enabling code execution if combined with privilege-escalation bugs, especially on Pixels, per the report.
Google emphasizes its layered defenses. The Android security platform includes exploit mitigations like hardened memory management, while Google Play Protect scans for potentially harmful apps (PHAs) in real-time.
Enabled by default on Google Mobile Services (GMS) devices, Play Protect has thwarted countless threats. Partners receive advance notifications at least a month prior, enabling timely OEM patches.
Users should immediately check their device’s security patch level via Settings > About phone > Android version. Prioritize updates, especially for Pixel owners, and stick to Google Play for apps to leverage Play Protect.
While no active exploits are confirmed, this patch level addresses broader issues grouped by component, with Dolby being the highlighted one. The security team continues monitoring via Play Protect telemetry.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
