Google has fixed a critical vulnerability in the Android implementation of Dolby. The leak was in the DD+ Codec and could lead to data leaks if no patch was applied. Dolby rated the severity as moderate, but Google assesses the risk as critical.
CVE-2025-54957 is a buffer overflow vulnerability in Dolby UDC versions 4.5 to 4.13. The leak occurs when processing data within the evo_priv.c component of the DD+ bitstream decoder, reports security company Wiz. When processing this data, insufficient buffer space may be allocated.
This insufficient allocation means that the out-of-bounds check is not performed correctly. This creates a buffer overflow, which can lead to data leakage. Dolby gave the vulnerability a CVSS score of 6.5, which is classified as moderate. Nevertheless, context is always important: a 10.0 risk in an application that never reaches the internet is generally less serious than a 6.5 bug where an internet connection does exist.
Greater impact on Pixel smartphones
Dolby states that exploiting the leak in most cases causes a media player to crash or restart. However, in combination with other Android vulnerabilities, the impact can be much greater. Google therefore rates the severity higher and assesses CVE-2025-54957 as critical, particularly for its own Pixel smartphones.
The technical details show that the problem lies in the Evolution data processing. An integer wraparound during the length calculation results in insufficient buffer allocation. This then leads to an out-of-bounds write condition during write operations.
Broader context Android vulnerabilities
Android has recently been dealing with buffer overflow issues more frequently. As a result, authorities such as the Dutch NCSC recommend regularly updating Android devices, especially after vulnerabilities have been discovered. Similar issues have also come to light in other components such as FreeType and Chrome GPU.
Google patches such vulnerabilities via monthly security bulletins. OEM manufacturers such as Samsung and Xiaomi roll these fixes out to their devices. However, due to fragmentation in the Android ecosystem, it can take weeks or months before all users receive the patch. After all, many Android devices do not run on the latest version because the OEM variant has not yet been rolled out.
Users can check their patch level via Settings > About phone > Android security update. Experts recommend updating to the latest security patch as soon as it becomes available.