The January 2026 Android update patches a single vulnerability, a critical Dolby audio decoder issue whose existence came to light in October 2025.
The flaw, tracked as CVE-2025-54957, was described at the time of its disclosure as a medium-severity out-of-bounds write issue impacting the widely used Dolby Digital Plus (DD+) Unified Decoder.
The vulnerability, exploitable using specially crafted media files, was discovered by Google researchers and reported to Dolby in June 2025, with a patch released in September.
The vulnerability started making headlines in October, after Google made public technical details and Microsoft announced patching the security hole in Windows.
In most cases, the vulnerability can lead to a crash or restart, which Google researchers have demonstrated on Pixel 9, Samsung S24, MacBook Air M1, and iPhone 17 Pro devices.
However, the researchers discovered that zero-click remote code execution can be achieved on Android devices. As a result, a critical severity rating has been assigned to CVE-2025-54957 on Android.
“On Android OS, audio attachments and voice messages are decoded locally; therefore, the flaw can be exploited without any user interaction,” explained Adam Boynton, senior security strategy manager at mobile device management and security firm Jamf.
Google included a patch for the flaw in its December 2025 update for Pixel phones, and the tech giant has now rolled out a patch for all Android devices.
The January 2026 Android security bulletin does not describe any other vulnerability. No Pixel, Android Automotive OS, or Wear patches have been released this month.
Related: Android Zero-Days Patched in December 2025 Security Update
Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day
Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones
