Google Android security bulletin for January 2026 patches Zero-Click vulnerability in Dolby Audio decoder

Google released the January 2026 Android Security Bulletin that fixes a flaw in the a Dolby audio component found in many mobile devices. This bug allows attackers to run malicious code on Android devices without user permission.

The flaw is tracked as CVE-2025-54957 (CVSS score 5.4, Google severity Critical), as an out-of-bounds write vulnerability in the DD+ Codec subcomponent. The flaw is caused by an integer overflow during the parsing of evolution data within Dolby-encoded audio files. 

When processing malformed DD+ bitstreams the decoder miscalculates buffer lengths, leading to insufficient memory allocation. Subsequent operations can then write data outside the allocated buffer, resulting in memory corruption that could enable remote code execution. 

On Android platforms, the vulnerability's severity is amplified by the system's default behavior of automatically decoding incoming audio messages for transcription purposes, particularly via Rich Communication Services (RCS). This automatic processing allows attackers to remotely trigger the vulnerability by sending a specially crafted audio file to a target device without requiring any user interaction.

The vulnerability affects multiple platforms beyond Android, including iOS, macOS, ChromeOS, and Windows systems that utilize the Dolby DD+ decoder. However, the zero-click attack vector is unique to Android due to its automatic audio message processing capabilities.

Android device manufacturers will release patches addressing CVE-2025-54957 through standard update channels. Users are strongly advised to update to security patch level 2026-01-05 or later to address this vulnerability and all previous security issues.