Google has issued its January 2026 Android Safety Bulletin, urging customers to replace to the 2026-01-05 patch degree or later to mitigate a crucial vulnerability in Dolby elements.
The standout challenge, CVE-2025-54957, targets the Dolby Digital Plus (DD+) codec and will allow out-of-bounds reminiscence writes on affected Android units.
On the coronary heart of this flaw lies an out-of-bounds write vulnerability in Dolby’s Common Decoder Core (UDC) variations 4.5 by 4.13. It triggers solely when processing a specifically crafted DD+ bitstream, one which’s manually edited to be “legitimate” however non-standard.
Respectable Dolby authoring instruments can’t generate such streams, limiting pure prevalence. Nonetheless, the bulletin notes a report involving Google Pixel units by which this bug amplifies danger when mixed with different identified Pixel-specific vulnerabilities.
“Different Android cellular units may very well be susceptible to related vulnerabilities,” Google warns. For non-Pixel {hardware}, exploitation usually leads to a media participant crash or gadget restart, suggesting a low bar for malicious use in isolation.
Severity is rated Important by Dolby, with full particulars accessible by way of their channels (A-438955204). Patches are already rolling out, and AOSP supply code adjustments will observe inside 48 hours of the bulletin’s publication.
This vulnerability underscores ongoing challenges in multimedia codecs, a perennial vector for Android exploits. DD+ decoding handles high-quality audio in apps and streaming providers, making it a chief goal.
Attackers may embed malicious bitstreams in seemingly benign media recordsdata, doubtlessly enabling code execution if mixed with privilege-escalation bugs, particularly on Pixels, per the report.
Google emphasizes its layered defenses. The Android safety platform consists of exploit mitigations like hardened reminiscence administration, whereas Google Play Defend scans for doubtlessly dangerous apps (PHAs) in real-time.
Enabled by default on Google Cell Companies (GMS) units, Play Defend has thwarted numerous threats. Companions obtain advance notifications a minimum of a month prior, enabling well timed OEM patches.
Customers ought to instantly test their gadget’s safety patch degree by way of Settings > About telephone > Android model. Prioritize updates, particularly for Pixel house owners, and persist with Google Play for apps to leverage Play Defend.
Whereas no energetic exploits are confirmed, this patch degree addresses broader points grouped by part, with Dolby being the highlighted one. The safety group continues monitoring by way of Play Defend telemetry.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
