CVE-2025-54957

CVSS v3.1

9.8

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Dolby UDC versions 4.5 through 4.13

Description A flaw exists in the Dolby UDC (Unified Decoder) DD+ decoder process, potentially leading to remote code execution. This issue arises when processing a malformed DD+ bitstream, specifically during the handling of Evolution data within the

evo priv.c

component. An integer overflow in the length calculation for a write operation can cause the allocated buffer to be too small, rendering the subsequent out-of-bounds check ineffective and resulting in an out-of-bounds write. This allows attackers to overwrite data structures, including pointers, potentially gaining control of the system. The vulnerability can be exploited remotely, without user interaction, on Android devices due to the automatic decoding of audio messages. Researchers demonstrated a proof-of-concept exploit capable of causing a process crash on devices like the Pixel 9 and Samsung S24, as well as macOS and iOS. The vulnerability is tracked as CVE-2025-54957.

Recommendations Update Dolby UDC to a version later than 4.13.

Fix

RCE

Memory Corruption

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-190

Related Identifiers

BDU:2025-13252

CVE-2025-54957

Affected Products

Android

Pixel

Samsung

Windows

CVE-2025-54957

Weakness Enumeration

Related Identifiers

Affected Products

References · 50