Out-of-bounds write in Dolby UDC DD+ decoder
CVE-2025-54957 is a memory-corruption vulnerability in Dolby DDPlus Unified Decoder (UDC) versions 4.5 through 4.13. When the decoder processes Evolution/EMDF data from a specially crafted DD+ bitstream, code in evo_priv.c calculates the length for a buffer write using arithmetic that can overflow via integer wraparound. The wrapped value can cause the decoder to allocate a buffer that is smaller than required. A subsequent bounds check then becomes ineffective relative to the true amount of data written, resulting in an out-of-bounds write in the DD+ decoder process. Public reporting states that the issue is triggered by malformed but manually edited 'valid' DD+ bitstreams and has been shown to facilitate memory corruption and, on Android, code execution in the mediacodec context.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-click remote code execution vulnerability in the Dolby Media Framework used as the initial entry point in an exploit chain against Google Pixel devices.
A zero-click vulnerability in Dolby components on Android that was used as the remote/initial access part of an exploit chain against Google Pixel devices. The content states it existed across all of Android until patched in January 2026.
A vulnerability in the Dolby audio decoder used in a Pixel 9 zero-click exploit chain to achieve arbitrary code execution in the Android mediacodec context via automatically processed audio attachments in Google Messages.
A memory-corruption vulnerability in the Dolby Unified Decoder (UDC) related to EMDF metadata processing that can lead to remote code execution in the Android media decoding (mediacodec) context as part of a zero-click attack chain.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.