CVE-2025-54957
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: MITRE

Description
An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is processed. When Evolution data is processed by evo_priv.c from the DD+ bitstream, the decoder writes that data into a buffer. The length calculation for a write can overflow due to an integer wraparound. This can lead to the allocated buffer being too small, and the out-of-bounds check of the subsequent write to be ineffective, leading to an out-of-bounds write.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-54957
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dolby digital_plus 4.13
dolby digital_plus 4.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds write flaw in the Dolby Digital Plus (DD+) decoder versions UDC 4.5 through 4.13. It occurs when processing a specially crafted DD+ bitstream that causes an integer overflow during length calculation, leading to a buffer that is too small. This results in an ineffective out-of-bounds check and a subsequent out-of-bounds write, which can cause the DD+ decoder process to crash or potentially allow code execution. [1]

Impact Analysis

The impact depends on the device. On Google Pixel devices, this vulnerability may increase the risk of exploitation, especially when combined with other known vulnerabilities, potentially allowing code execution. On other Android devices, similar risks exist. For other device types, the main effect is a media player crash or restart, which is a lower risk. Users are advised to keep their devices updated and enable automatic updates to mitigate this risk. [1]

Detection Guidance

This vulnerability occurs when processing a uniquely crafted, manually edited but still valid DD+ bitstream that causes the DD+ decoder process to crash. Detection can involve monitoring for unexpected crashes or restarts of media player applications or the DD+ decoder process. Since the malformed bitstream cannot be generated by standard Dolby authoring tools, detection might include capturing and analyzing DD+ bitstreams for unusual or manually edited content. Specific commands are not provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include keeping devices updated and enabling automatic updates when possible. OEMs using Dolby DD+ are advised to contact Dolby for updated deliverables that address this vulnerability. Monitoring for media player crashes and applying vendor patches promptly are recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart