PT-2025-42572 · Google +3 · Pixel +3

Published

2025-10-14

·

Updated

2025-11-26

·

CVE-2025-54957

CVSS v3.1
6.5
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Dolby UDC and Affected Versions Dolby UDC versions 4.5 through 4.13
Description A flaw exists in the Dolby Unified Decoder (UDC) that could allow remote attackers to execute arbitrary code. The issue stems from an out-of-bounds write vulnerability within the DD+ decoder process when processing malformed DD+ bitstreams. Specifically, an integer overflow occurs during the length calculation when processing Evolution data via the 
evo priv.c
component, leading to a buffer overflow. This allows attackers to overwrite data structures, potentially including pointers, enabling remote code execution. On Android devices, this vulnerability can be exploited remotely without user interaction, as audio messages and attachments are decoded locally by the UDC. A proof-of-concept (PoC) exploit has been demonstrated on Android (Pixel 9, Samsung S24) and macOS devices. The vulnerability is tracked as CVE-2025-54957. The vulnerability allows remote attackers to execute arbitrary code and affect the system.
Recommendations Update to a newer version of Dolby UDC that contains a fix for this vulnerability.

Fix

RCE

Memory Corruption

Weakness Enumeration

CWE-787

Related Identifiers

BDU:2025-13252
CVE-2025-54957

Affected Products

Android
Pixel
Samsung
Windows