U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Google fixes critical Dolby Decoder bug in Android January update

Android’s January 2026 update fixes CVE-2025-54957, a critical Dolby audio decoder flaw discovered by Google researchers in October 2025. A critical Dolby audio decoder vulnerability, tracked as CVE-2025-54957, was addressed in the January 2026 Android security update. Google fixed the flaw in December 2025 for Pixel phones and has now rolled out the fix to […]

Google Android Qualcomm flaw CVE-2026-21385

Android’s January 2026 update fixes CVE-2025-54957, a critical Dolby audio decoder flaw discovered by Google researchers in October 2025.

A critical Dolby audio decoder vulnerability, tracked as CVE-2025-54957, was addressed in the January 2026 Android security update. Google fixed the flaw in December 2025 for Pixel phones and has now rolled out the fix to all Android devices.

The flaw in Dolby DD+ decoders (UDC v4.5–v4.13) can cause an out-of-bounds write when processing a specially crafted DD+ bitstream, potentially increasing risk on Android devices, including Pixel, if chained with other vulnerabilities.

“An out of bounds write within UDC v4.5 -> UDC v4.13 may occur when a unique Dolby Digital Plus (DD+) bitstream is processed by a DD+ decoder. This issue does not occur with a standard DD+ bitstream but only when a manually edited (though “valid”) bitstream is created. Dolby authoring tools are incapable of creating this type of bitstream.” reads the advisory. “We are aware of a report found with Google Pixel devices indicating that there is a possible increased risk of vulnerability if this bug is used alongside other known Pixel vulnerabilities. Other Android mobile devices could be at risk of similar vulnerabilities”

Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered the vulnerability in October 2025.

Google Project Zero researchers state that an integer overflow can cause an out-of-bounds write, potentially overwriting pointers. On Android, it’s a 0-click bug because audio is decoded automatically.

“When a file is processed by Dolby’s DDPlus Unified Decoder, an out of bounds write is possible when the evolution data is processed. The decoder writes evolution information into a large, heap-like contiguous buffer contained by a larger struct, and the length calculation for one write can overflow due to integer wrap. This leads to the ‘allocated’ buffer to be too small, and the out-of-bounds check of the subsequent write to be ineffective. This can allow later members of the struct to be overwritten, including a pointer that is written to when the next syncframe is processed.” reads the report published by Google Project Zero. “On Android, this is a 0-click vulnerability, as Android locally decodes all incoming audio messages and audio attachments for transcription, using this decoder, without the user interacting with the device. This code is present on MacOS, but it is not clear whether this bug is reachable due to pre-processing checks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2025-54957)