CVE-2025-54957: Integer Overflow to Heap-Based Buffer Overflow in Dolby Unified Decoder

The Dolby Unified Decoder provides essential support for processing Dolby Digital (DD/AC-3) and Dolby Digital Plus (DD+/EAC-3) audio formats. The decoder processes Extensible Metadata Delivery Format (EMDF) data extracted from these bitstreams. The vulnerability resides specifically within the evo_priv.c source file, which handles "Evolution" metadata payloads during decoding.

CVE-2025-54957 manifests as a CWE-190 integer overflow that cascades directly into a CWE-787 out-of-bounds write. This flaw occurs during dynamic memory allocation on the "evo heap", a custom contiguous memory slab managed within a 692 KB static buffer. The decoder calculates the payload size incorrectly during alignment operations, resulting in an integer wrap.

The attack surface is exposed across multiple platforms integrating the Dolby library, including Android, ChromeOS, Windows, and macOS. On Android devices, the vulnerability is exposed without user interaction via messaging applications like Google Messages. This network-based vector allows an attacker to trigger the vulnerability simply by sending a maliciously crafted SMS or RCS attachment.

The EPSS score of 0.00023 indicates a relatively low current probability of widespread automated exploitation. However, the public availability of proof-of-concept components and technical research reduces the barrier to entry for targeted attacks. Security engineering teams must prioritize remediation given the high severity and zero-click characteristics of this vulnerability.

The ddp_udc_int_evo_malloc function dynamically allocates space for EMDF payloads within the internal evo heap. During this allocation phase, the function determines the required memory size based on an attacker-supplied total_size value extracted from the incoming bitstream. To ensure strict memory alignment, the function performs a modulo arithmetic operation prior to the actual allocation.

The alignment logic adds necessary padding to align the allocation to an 8-byte boundary. On 64-bit platforms, an attacker can supply a total_size value carefully chosen between 0xFFFFFFFFFFFFFFF9 and 0xFFFFFFFFFFFFFFFF. The addition of the padding value causes the 64-bit unsigned integer to overflow, wrapping around to a very small integer value.

The memory allocator utilizes this wrapped-around integer to reserve space on the evo heap. Subsequently, a data copy loop transfers the EMDF payload from the bitstream into this newly allocated buffer. This copy operation utilizes the original, un-wrapped payload_length as its loop boundary condition, leading to a significant length mismatch.

The bitstream parsing mechanism also relies on an emdf_container_length variable, which specifies the total container boundaries. If an attacker sets emdf_container_length to a value larger than the actual bitstream data, the decoder continues reading past the end of the provided payload. This reads uninitialized memory from an 85 KB "skip buffer", creating an information leak primitive.

The vulnerability exists directly in the padding calculation logic prior to the internal memory allocation step. The vulnerable alignment check evaluates the modulo of total_size and adds padding to reach an 8-byte alignment. The absence of an upper-bound check on the total_size variable before the addition enables the arithmetic overflow.

// Vulnerable logic pattern reconstructed from analysis
uint64_t total_size = get_emdf_payload_size(bitstream);
// Missing bounds check leads to overflow
if (total_size % 8) {
    total_size += (8 - total_size) % 8; 
}
buffer = ddp_udc_int_evo_malloc(evo_heap, total_size);
 
// Copy utilizes the original, large payload size
copy_emdf_data(buffer, bitstream, get_emdf_payload_size(bitstream));

The remediation requires validating the integer boundaries strictly before performing any arithmetic operations. A robust fix implements safe math functions or explicit bounds checking against the maximum acceptable payload size. The allocation must fail entirely if the requested size exceeds the maximum capacity of the evo heap or if an overflow condition is detected.

Correcting the integer overflow prevents the subsequent out-of-bounds write primitive. However, the secondary leak primitive involving emdf_container_length must also be addressed to secure the component fully. Comprehensive patches validate both the allocation bounds and the container length boundaries against the actual input stream size.

The primary exploitation vector targets Android devices through background processing features in applications like Google Messages. Modern devices, such as the Pixel 9 series, automatically process incoming audio attachments to generate transcriptions. This background processing routes the malicious .ec3 or .ac3 file to the Dolby decoder without requiring the recipient to interact with the device or the message.

The attacker crafts a DD+ bitstream containing specific EMDF payload lengths designed to trigger the exact integer wrap. The exploit carefully structures the subsequent bitstream bytes to overwrite adjacent members of the decoder's internal memory structures. Because the copy operation uses a structured bit reader, the attacker controls both the exact number of bytes written and their corresponding values.

The exploitation of this library executes within the restricted mediacodec sandbox domain. Achieving full device compromise requires the attacker to chain this initial vulnerability with a secondary privilege escalation flaw. Public research details indicate that attackers pair this remote code execution with a kernel-mode driver vulnerability, such as CVE-2025-36934.

Exploitation relies on the target platform actively parsing the malformed audio stream. While the vulnerable code is confirmed present on macOS and Windows, reachability depends heavily on the specific media frameworks and pre-processing checks implemented by the operating system. Android and ChromeOS process the stream directly, making them highly susceptible.

The Android operating system isolates media parsing libraries within the heavily restricted mediacodec domain. This process runs with an unprivileged user ID and utilizes a stringent SELinux policy. The sandbox explicitly prevents direct access to user data, hardware peripherals, and the underlying kernel interfaces.

Modern operating systems employ Address Space Layout Randomization (ASLR) to randomize the memory locations of key data structures and executable code. The Dolby decoder library is subject to these protections, complicating reliable exploitation. The aforementioned information leak primitive provides the necessary memory layout details to bypass these mitigations successfully.

Gaining code execution within the mediacodec process does not constitute a full device compromise on its own. Attackers must leverage this initial foothold to interact with the accessible attack surface, typically the kernel binder interfaces or specific accessible drivers. The exploit chain documented by researchers utilizes a secondary kernel vulnerability to escape the sandbox.

The risk profile varies significantly across the affected platforms due to differing architectural choices in media handling. Android and ChromeOS expose the vulnerability directly through their respective background processing mechanisms. Conversely, macOS and Windows implement intermediate media frameworks that may sanitize or reject the malformed bitstream before it reaches the Dolby library.

Successful exploitation grants an attacker arbitrary code execution within the context of the vulnerable media processing service. The out-of-bounds write allows the direct manipulation of program execution flow by overwriting function pointers or critical internal data structures. The attacker gains the permissions and network access associated with the compromised process.

The vulnerability carries a critical CVSS v3.1 base score of 9.8. The network attack vector and the lack of required user interaction maximize the exploitability metrics. The total compromise of confidentiality, integrity, and availability reflects the ability to execute arbitrary code and potentially crash the media service entirely.

The associated out-of-bounds read primitive significantly aids the exploitation process. Extracting uninitialized memory or adjacent data from the skip buffer exposes sensitive pointer information to the attacker. This deterministic memory disclosure enables highly reliable exploitation of the subsequent memory corruption.

The zero-click nature of this vulnerability over SMS and RCS protocols presents a severe risk to mobile device fleets. Threat actors can deploy exploits at scale without relying on user interaction or social engineering tactics. The documented use of similar vulnerabilities in advanced exploit chains highlights the practical viability of this attack vector.

Administrators and end-users must apply the vendor-supplied security updates to resolve this vulnerability permanently. Google resolved the issue for the Android platform in the January 2026 Android Security Bulletin. ChromeOS users must ensure their devices are updated to the stable channel release dated September 18, 2025, or later.

Vendors integrating the Dolby Unified Decoder into custom hardware or software must update their embedded libraries to a secure version. Dolby released patches addressing the issue in UDC versions following 4.13. Systems utilizing libcodec2_soft_ddpdec.so must replace the binary with the updated compilation provided by the OS vendor.

If immediate patching is unfeasible, users can reduce the attack surface by altering specific application configurations. On Android devices, disabling the "Show transcriptions for audio messages" feature in Google Messages prevents the automatic background processing of audio files. This effectively neutralizes the primary zero-click vector.

Security teams should deploy network intrusion detection signatures to monitor for malformed DD+ bitstreams at the network edge. Snort or YARA rules can identify EMDF containers with unusually large emdf_payload_size or emdf_container_length values. Monitoring for unexpected crashes in the C2 or mediacodec processes provides a secondary indicator of compromise.