CVE-2025-54957

Name of the Vulnerable Software and Affected Versions Dolby UDC versions 4.5 through 4.13

Description A flaw exists in the Dolby UDC DD+ decoder that can lead to a crash or potentially allow remote code execution. The issue stems from an integer overflow during length calculation when processing Evolution data from a DD+ bitstream, resulting in an out-of-bounds write. This vulnerability can be triggered by specially crafted audio files and, on Android devices, may be exploitable without user interaction due to automatic audio message decoding. The vulnerability affects Android, iOS, Windows, and streaming platforms. Researchers were able to achieve code execution in a zero-click manner on a Pixel 9 device. It is possible to cause a process crash on Android (Pixel 9 and Samsung S24), macOS, and iOS devices. The vulnerability does not occur with standard DD+ bitstreams but only with manually edited ones.

Recommendations Update Dolby UDC to a version later than 4.13. Update Android devices to the January 2026 security patch or later. Update ChromeOS to the latest version with included fixes. Update Windows to the October Patch Tuesday release or later.