Android’s January 2026 security update fixes a critical Dolby 0-click vulnerability for Pixel & Samsung devices

Google has published the January 5, 2026 Android Security Bulletin, and while the changelog is unusually short, it addresses a serious and long-running security flaw that Android users should not ignore.

The bulletin includes just one vulnerability fix, but it’s a big one: CVE-2025-54957, a critical flaw in Dolby’s DD+ (Dolby Digital Plus) Unified Decoder. The issue has been known internally since mid-2025, was privately disclosed through Google Project Zero, and has now finally been patched at the Android platform level.

According to the January 2026 bulletin, the vulnerability affects Dolby components and has been rated Critical by Dolby itself.

Google does not provide full technical details in the Android bulletin, instead pointing users to Dolby’s advisory. However, the background of this vulnerability shows why it has attracted attention across multiple platforms.

What exactly is CVE-2025-54957?

The vulnerability was first reported to Google Project Zero on June 27, 2025, and affects Dolby Unified Decoder (UDC) versions 4.5 through 4.13.

At a technical level, the flaw is an out-of-bounds write caused by an integer overflow during “evolution” data parsing in Dolby’s DD+ decoder. When a specially crafted — but still valid — Dolby Digital Plus bitstream is processed, the decoder miscalculates buffer size due to integer wraparound. This allows memory beyond the allocated buffer to be overwritten.

Crucially, that memory can include function pointers, opening the door to arbitrary code execution.

Why Android was hit hardest

While the vulnerable Dolby decoder is used across multiple operating systems, Android stood out for one key reason: it processes incoming audio automatically.

On modern Android versions, audio attachments and voice messages are locally decoded for features like transcription, even before the user opens them. That means no tap is required, no playback is required, and no user interaction is needed at all.

Google Project Zero confirmed that on Android, this was a true 0-click vulnerability. In testing, researchers were able to trigger crashes and later achieve 0-click code execution simply by sending a malicious audio file via RCS.

Crashes were reproduced on multiple real-world devices and platforms, namely:

• Pixel 9 running Android 16 (SIGSEGV crash)
• Samsung Galaxy S24
• macOS (Apple Silicon)
• iOS 26 on iPhone 17 Pro
• Windows and ChromeOS (via downstream integrations)

This confirmed that the bug was not Android-exclusive, but Android’s media pipeline made it far more dangerous in practice.

Dolby downplayed the risk, others didn’t

In its own security advisory published on October 14, 2025, Dolby rated the issue as “Medium” severity (CVSS 6.7), stating that:

• The exploit requires a manually edited bitstream
• Dolby authoring tools cannot generate such files
• Most outcomes would be media player crashes

However, both Google Project Zero and national cybersecurity agencies, including the Centre for Cybersecurity Belgium, took a much more serious view, especially due to the Android 0-click attack surface.

The Belgian advisory explicitly warned that exploitation on Android requires no user interaction and recommended urgent patching, even suggesting that users temporarily disable RCS to reduce exposure.

Fixes rolled out, but Android lagged behind

By late 2025, several platforms had already addressed the issue. Microsoft published fixes for Windows, ChromeOS silently patched the vulnerable binaries, Apple mitigated the issue at the OS level, and Dolby provided updated components to OEMs.

Android, however, only fully closes the loop with the January 2026 security update.

If your device receives monthly or quarterly security updates, installing the January 2026 Android security patch is strongly recommended. This update ensures that the vulnerable Dolby DD+ decoder is patched, the known 0-click attack vector via audio decoding is closed, and devices are protected against potential real-world exploitation.

As always, rollout timing will depend on your manufacturer, but Pixel devices should receive the update first, followed by Samsung and other OEMs.

If you care about device security, especially against silent, no-interaction attacks, don’t skip this update.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.