CVE-2025-54957
Published Oct 20, 2025
Last updated a month ago
AI description
CVE-2025-54957 is a buffer overflow vulnerability affecting Dolby Universal Decoder Core (UDC) versions 4.5 through 4.13. The flaw resides within the Dolby Digital Plus (DD+) decoder process and can be triggered by processing specially crafted, malformed DD+ bitstreams. Specifically, an integer overflow occurs during the length calculation when the `evo_priv.c` component parses "Evolution data" from the DD+ bitstream. This results in an undersized buffer being allocated, which then renders subsequent out-of-bounds checks ineffective and leads to an out-of-bounds write condition. Google Project Zero researchers discovered this vulnerability, highlighting its potential for zero-click exploitation on mobile devices, as audio attachments and voice messages are often decoded automatically.
- Description
- An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is processed. When Evolution data is processed by evo_priv.c from the DD+ bitstream, the decoder writes that data into a buffer. The length calculation for a write can overflow due to an integer wraparound. This can lead to the allocated buffer being too small, and the out-of-bounds check of the subsequent write to be ineffective, leading to an out-of-bounds write.
- Source
- cve@mitre.org
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-190
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
31
🚨 Google Project Zero just published a Pixel 10 zero-click to root exploit chain. Two vulnerabilities and less than a day of work to weaponize the second one. Chain: - Stage 1: same Dolby UDC zero-click (CVE-2025-54957) used against the Pixel 9. Patched in January 2026. On
@IntCyberDigest
14 May 2026
38697 Impressions
57 Retweets
576 Likes
179 Bookmarks
11 Replies
8 Quotes
⚠️ ALERTA: Descubierta cadena de exploits de 0 clics para Google Pixel 10. Acceso a raíz del sistema Android en 2 exploits. CVE-2025-54957. https://t.co/oHea04eH3p #CiberseguridadMX #CyberSecurity #Ransomware
@BotBauR
13 May 2026
200 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 Critical Android vulnerability you need to know about CVE-2025-54957 affects the Dolby Digital Plus decoder found in virtually ALL modern devices. Why it matters, Zero-click RCE on Android A simple media file could compromise your device 📱 #AndroidSecurity #Koodous
@koodous_project
26 Jan 2026
211 Impressions
3 Retweets
6 Likes
2 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-54957 2 - CVE-2026-21962 3 - CVE-2025-43529 4 - CVE-2026-0629 5 - CVE-2017-9506 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
22 Jan 2026
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-54957 - Zero-Click Android RCE Solo recibir un audio puede hackear tu telefono. Sin abrirlo. Falla en Dolby Decoder. Demostrado en Pixel 9 y Samsung S24. Actualiza Android a parche 2026-01-05 YA #Android #ZeroClick #SecNetNews
@secnetnew
18 Jan 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54957
@Das_Evangelium
14 Jan 2026
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📱【AndroidにCriticalなDD+脆弱性】 Googleが2026年1月のAndroidセキュリティ情報を公開 Dolby Digital Plus(DD+)の整数オーバーフロー脆弱性CVE-2025-54957をCriticalとして修正 対応パッチレベルは2026-01-05 対象端末はセキュ
@InSecSol0417
13 Jan 2026
353 Impressions
0 Retweets
9 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Your Android hacked with just a voice message CVE-2025-54957 | CRITICAL → Zero-click attack via Dolby codec → Tested on Pixel 9, Samsung S24 Update your phone NOW: Settings → System → Software Update #android #cybersecurity #hacking https://t.co/oZTilxE1Tn
@secnetnew
12 Jan 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Xiaomi's January 2026 security patch is crucial! - Fixes CVE-2025-54957 (Dolby exploit) - Affects devices like Xiaomi 15 and Note series - Last update for some models: Xiaomi 12, Redmi Note 12 5G, POCO X5 Pro Check for updates in Settings > About P… https://t.co/wogWew
@timexiaomi
10 Jan 2026
484 Impressions
1 Retweet
12 Likes
0 Bookmarks
2 Replies
0 Quotes
⚠️ Vulnerabilidad en productos Android ❗ CVE-2025-54957 ➡️ Más info: https://t.co/CUOUOVbHwN https://t.co/a4LHwEBUow
@CERTpy
8 Jan 2026
152 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Googleは2026年1月分のAndroidセキュリティ情報を公開し、Dolby関連コンポーネントに存在する重大な脆弱性への対策として、パッチレベル2026-01-05以降への更新を強く求めた。特にPixel端末では他の欠陥と組み合わ
@yousukezan
6 Jan 2026
756 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Android January 2026 Patch Fixes Critical Dolby DD+ Decoder “0-Click” Bug (CVE-2025-54957) Google’s January 2026 Android security update patches CVE-2025-54957, an out-of-bounds write in Dolby DD+ decoding that can be triggered by a specially crafted bitstream and may
@ThreatSynop
6 Jan 2026
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Dolby DD+ Codec Flaw in Android Enables Memory Corruption (CVE-2025-54957) Google’s January 2026 Android Security Bulletin patches a critical out-of-bounds write in Dolby Universal Decoder Core (UDC) 4.5–4.13 that can be triggered by a specially crafted Dolby Di
@ThreatSynop
6 Jan 2026
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54957 and Android Zero-Click RCE Analysis By CyberDudeBivash Read the full report on - https://t.co/OZEOMZgtwA https://t.co/O2wp0Gs2FV
@cyberbivash
6 Jan 2026
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Dolby Decoder Flaw Patched in January 2026 Android Update (CVE-2025-54957) Android’s January 2026 security update fixes a critical out-of-bounds write in the Dolby Digital Plus (DD+) Unified Decoder that could be triggered by specially crafted media files, potenti
@ThreatSynop
6 Jan 2026
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54957 Zero-Click Nightmare: The Critical Dolby Codec Flaw That Hijacks Androids via a Single Audio Message Read the full report on - https://t.co/j68XA1nfrk https://t.co/1Fl1k0oxbQ
@cyberbivash
6 Jan 2026
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Google patches critical Dolby vulnerability in Android (CVE-2025-54957), fixing DD+ Codec leak that could expose user data after discovery by Google researchers in Oct 2025. #Android https://t.co/fpvCXz02kg
@threatcluster
6 Jan 2026
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Android Security Bulletin - January 2026 https://t.co/lqBkKEcIJ6 1 crit in DD+ Codec(Dolby) - CVE-2025-54957, 0-click RCE(OOBW due to an integer overflow)
@xvonfers
6 Jan 2026
2944 Impressions
5 Retweets
26 Likes
16 Bookmarks
0 Replies
0 Quotes
IMPORTANT - Android Security Bulletin - January 2026 Published January 5, 2026 CVE-2025-54957, A-438955204 Critical DD+ Codec https://t.co/8g2VoErJpl https://t.co/7rFo6JL76d
@johnspectator
5 Jan 2026
135 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
0-click vulnerability in Dolby's DDPlus decoder affected Android (CVE-2025-54957) A malformed audio file can trigger an out-of-bounds write due to integer overflow in evolution data handling—leading to memory corruption and crashes. Android decodes audio messages locally, makin
@HackingTeam777
24 Oct 2025
599 Impressions
1 Retweet
2 Likes
3 Bookmarks
0 Replies
0 Quotes
Warning: High-severity vulnerability in #Dolby Unified Decoder codec impacting multiple operating systems. CVE-2025-54957 CVSS: 7.0 #Patch as soon as your OS releases an update! More info: https://t.co/ytqOWiCCCF
@CCBalert
21 Oct 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54957 Buffer Overflow Vulnerability in Dolby UDC DD+ Decoder 4.5-4.13 https://t.co/LVv8hYgY1v
@VulmonFeeds
20 Oct 2025
56 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
https://t.co/bGbfdxCr65 - CVE-2025-54957 | *Severity:* HIGH (7.6) Bug Bounty Relevance: MEDIUM Dolby UDC versions 4.5 through 4.13 have an out-of-bounds write vulnerability in the DD+ decoder process du (1/3)
@BugBountyShorts
20 Oct 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-54957 An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is processed. When Evolution data i… https://t.co/4yub1E9SVN
@CVEnew
20 Oct 2025
263 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
DolbyのDDPlus Unified Decoderにゼロクリック脆弱性。CVE-2025-54957はCVSSスコア7.0で、evolution data処理時の境界外書き込み。Android、iOS及びmacOS向けにクラッシュを引き起こすPoC(攻撃の概念実証コード)あり。報告から90
@__kokumoto
20 Oct 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
0-click vulnerability in Dolby's DDPlus decoder affected Android (CVE-2025-54957) A malformed audio file can trigger an out-of-bounds write due to integer overflow in evolution data handling—leading to memory corruption and crashes. Android decodes audio messages locally, makin
@The_Hunt_x
17 Oct 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
0-click vulnerability affected Android in Dolby's DDPlus decoder-CVE-2025-54957 Malformed audio could lead to memory corruption and crashes. Android decodes audio locally, making this exploitable without user interaction just by receiving crafted RCS voice message by @natashenka
@androidmalware2
17 Oct 2025
5874 Impressions
15 Retweets
103 Likes
51 Bookmarks
1 Reply
1 Quote
🚨 CRITICAL: Google discloses zero-click Android vulnerability in Dolby decoder (CVE-2025-54957) Attackers can hack your phone just by sending an audio message 📱 Affects Pixel, Samsung, and other Android devices ✅ Patches available—update NOW Read Full Details- http
@cyberkendra
16 Oct 2025
95 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes