Overview
- Google’s 2026-01-05 patch level fixes CVE-2025-54957, an integer-overflow in the Dolby Digital Plus decoder that can enable remote code execution via crafted audio files.
- Because Android decodes voice messages and attachments in the background for transcription, a malicious RCS audio message can be processed without user interaction.
- The vulnerability affects multiple platforms, but Windows and ChromeOS received fixes in late 2025, leaving Android to follow with this focused January update.
- There are no confirmed in-the-wild attacks on Android, yet users are urged to install the update immediately, with Pixels receiving it first and Samsung and others to follow, and some authorities advised temporarily disabling RCS until patched.
- Google Project Zero researchers Ivan Fratric and Natalie Silvanovich discovered the flaw in June 2025 and demonstrated a working proof-of-concept on a Pixel 9 in October 2025, underscoring the exploitability of the bug.