Google issues urgent patch for zero-click Android vulnerability

Google has released its first Android security update of 2026, which is unusually short but addresses a single critical vulnerability.

The flaw exists in the Dolby Digital Plus Unified Decoder audio component, identified as CVE-2025-54957, and could allow attackers to compromise a smartphone without any interaction from the user by sending an SMS or RCS message. The update and vulnerability were reported on the Google Project Zero website.

The vulnerability was discovered by Google Project Zero specialists in June 2025 and affects the widely used Dolby audio component found on many devices. Initially, it was assessed as a medium-risk buffer overflow, but further analysis revealed that on Android it could enable remote code execution in a zero-click scenario, because voice messages and audio attachments are automatically decoded as soon as they are received.

The exploit has been demonstrated on a variety of platforms and devices, including Pixel and Samsung smartphones, as well as macOS and Windows computers. However, Android devices are particularly vulnerable, with the most serious consequences. Pixel devices received the fix in the December 2025 update, and the patch is now being rolled out to the broader Android ecosystem.

Notably, the January update includes no other security fixes, focusing entirely on resolving this single, critically dangerous vulnerability.

By Tamilla Hasanova