India’s cybersecurity agency CERT-In has issued a critical security warning for Android users after discovering a serious vulnerability that could allow remote attackers to run malicious code on affected devices. The vulnerability, listed as CIVN-2026-0016, impacts Android devices that use Dolby UDC versions 4.5 to 4.13.
According to CERT-In, the issue has been rated Critical due to the high risk of remote code execution. The successful exploitation could give attackers control over parts of the system. The issue has been assigned CVE-2025-54957
The problem lies in how Android handles Dolby Digital Plus (DD+) audio decoding. A buffer overflow bug in the Dolby UDC component can lead to memory corruption, which may cause app crashes or, in worst cases, allow attackers to execute arbitrary code remotely.
CERT-In explains that the vulnerability can be triggered when a specially crafted DD+ audio stream is processed by the system. While normal audio files are unlikely to cause issues, a manipulated but valid audio stream could exploit the flaw.
The advisory applies to all Android users, including individuals and organizations. Dolby has confirmed that the issue has been observed on Google Pixel devices, where the risk could increase if combined with other known Android vulnerabilities. Other Android devices may also be affected depending on their software configuration.
Dolby has classified it as an integer overflow vulnerability in its advisory. The company notes media player crashes are the most common outcome; the potential for code execution makes this vulnerability serious.
CERT-In strongly advises users to install the latest Android security updates as soon as they are available. Google has already addressed the issue in its January 2026 Android Security Bulletin.
