The Android zero-click vulnerability that could attack you without any action (CVE-2025-54957)

The January 2026 Android security update fixed a Critical vulnerability. It was found in Dolby’s audio decoder, and it was the kind of bug that enables a zero-click attack, meaning the victim could be compromised without doing anything at all.

What Is CVE-2025-54957?

This vulnerability existed in the Dolby Digital Plus (DD+) Unified Decoder (UDC). The affected versions are UDC v4.5 through v4.13.

Technically, it is an integer overflow that leads to an out-of-bounds write. While processing evolution data inside a DD+ bitstream, the decoder miscalculates the packet size and writes past the end of the allocated buffer.

Because that write can overwrite critical data structures such as function pointers, it can lead to remote code execution (RCE).

Why Is It Zero-Click?

Normal malware is often avoided by simply not opening suspicious files. This case is different.

When Android receives an audio message, it may decode it automatically in the background for things like notifications or transcription. In other words:

1. The attacker sends a crafted DD+ audio file
2. The victim’s Android device receives it
3. Even if the user does nothing, the system automatically parses the file
4. The vulnerability triggers during that process and executes arbitrary code

Your phone could have been compromised while it was still in your pocket.

Attack Paths

Any route that can deliver an audio file could be used.

• SMS / MMS: Enough if the attacker knows your phone number
• RCS: Supports rich media
• Email: As an attachment
• Chat apps: Especially risky if they auto-preview media

Mitigation

Updating to security patch level 2026-01-05 or later fixes the issue.

How to Check

1. Open Settings
2. Tap About phone or Device information
3. Check Android security patch level
4. If it shows January 5, 2026 or later, you are patched

For Pixel Devices

Pixel devices received an early patch in December 2025. Since they are Google’s own devices, they were updated faster.

For Other Manufacturers

Vendors such as Samsung, Xiaomi, and OPPO may ship their updates days or weeks after Google announces the patch. If you get an update notification, do not postpone it.

Temporary Risk Reduction

Until the patch arrives, turning off automatic media downloads in messaging apps can reduce some risk. It is not a real fix, though. Updating remains the priority.

Timeline

Date	Event
June 2025	Reported to Google Project Zero
October 2025	Dolby issued a security advisory
December 2025	Early patch shipped for Pixel devices
January 5, 2026	Patch released for Android broadly

Summary

This is the kind of zero-click vulnerability that breaks the usual rule of thumb that “you’re safe if you don’t open suspicious files.” In this case, the target was Dolby’s audio decoder.

If you use Android, check your security patch level right now. If it is older than 2026-01-05, install the update as soon as possible.

References

• Android Security Bulletin - January 2026
• Malwarebytes - Zero-click Dolby audio bug
• Dolby Security Advisory (PDF)