CVE-2025-54957: CVE-2025-54957: Integer Overflow to Heap-Based Buffer Overflow in Dolby Unified Decoder

CVE-2025-54957: Integer Overflow to Heap-Based Buffer Overflow in Dolby Unified Decoder

Vulnerability ID: CVE-2025-54957
CVSS Score: 9.8
Published: 2025-10-20

CVE-2025-54957 is a critical integer overflow vulnerability in the Dolby Unified Decoder (UDC) library, specifically within the parsing of Extensible Metadata Delivery Format (EMDF) data. This flaw leads to an out-of-bounds write on the heap, allowing remote attackers to achieve zero-click code execution on vulnerable platforms.

TL;DR

A zero-click integer overflow in the Dolby Unified Decoder enables remote code execution via malformed DD+ audio files, severely impacting background media processing services.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-190
• Attack Vector: Network (0-click)
• CVSS: 9.8
• EPSS: 0.06%
• Impact: Remote Code Execution
• Exploit Status: PoC / Active Exploration
• KEV Status: Not Listed

Affected Systems

• Android
• macOS
• ChromeOS
• Windows
• Dolby Unified Decoder (UDC): >= 4.5, <= 4.13

Mitigation Strategies

• Apply vendor security updates
• Disable audio transcriptions in messaging apps
• Implement bitstream validation in media parsers

Remediation Steps:

1. Identify vulnerable devices running Android, ChromeOS, Windows, or macOS.
2. Apply the January 2026 Android Security Bulletin update on Android devices.
3. Update ChromeOS devices to the September 18, 2025 stable channel release.
4. Disable 'Show transcriptions for audio messages' in Google Messages as a temporary workaround.

References

• Google Project Zero Technical Blog
• Google Project Zero Issue Tracker
• NVD Detail

---

Read the full report for CVE-2025-54957 on our website for more details including interactive diagrams and full exploit analysis.