On Android, the out-of-bounds write issue can be triggered during the processing of media files without user interaction.
October 20, 2025 By Ionut Arghire
A high-severity vulnerability in Dolby’s Unified Decoder could be exploited for remote code execution, without user interaction in certain cases.
Built on top of the Dolby Digital Plus (DD+) standard, the Unified Decoder is a software/hardware component used for processing DD+, Dolby AC-4, and other audio formats, converting them into formats that can be played back through speakers.
The decoder, Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered, was impacted by an out-of-bounds write issue that could be triggered during the processing of evolution data.
“The decoder writes evolution information into a large, heap-like contiguous buffer contained by a larger struct, and the length calculation for one write can overflow due to integer wrap,” Silvanovich explains.
This, she notes, results in the allocated buffer being too small and in an ineffective out-of-bounds check of the subsequent write.
“This can allow later members of the struct to be overwritten, including a pointer that is written to when the next syncframe is processed,” she notes.
Tracked as CVE-2025-54957 (CVSS score of 7.0), the security defect can be triggered using malicious audio messages, leading to remote code execution.
