diff --git a/libwvdrmengine/mediacrypto/Android.mk b/libwvdrmengine/mediacrypto/Android.mk
index 7aba4c6a..3e01acd8 100644
--- a/libwvdrmengine/mediacrypto/Android.mk
+++ b/libwvdrmengine/mediacrypto/Android.mk
@@ -72,6 +72,8 @@ LOCAL_SHARED_LIBRARIES := \
   libhidlmemory \
   liblog
 
+LOCAL_CFLAGS := -Wthread-safety
+
 LOCAL_MODULE := libwvdrmcryptoplugin_hidl
 LOCAL_PROPRIETARY_MODULE := true
 
diff --git a/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h b/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
index a7570731..47cfd5c0 100644
--- a/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
+++ b/libwvdrmengine/mediacrypto/include_hidl/WVCryptoPlugin.h
@@ -7,11 +7,14 @@
 #ifndef WV_CRYPTO_PLUGIN_H_
 #define WV_CRYPTO_PLUGIN_H_
 
+#include <android-base/thread_annotations.h>
 #include <android/hidl/memory/1.0/IMemory.h>
 
+#include <mutex>
+
 #include "HidlTypes.h"
-#include "wv_content_decryption_module.h"
 #include "WVTypes.h"
+#include "wv_content_decryption_module.h"
 
 namespace wvdrm {
 namespace hardware {
@@ -59,13 +62,13 @@ struct WVCryptoPlugin : public ICryptoPlugin {
       const SharedBuffer& source,
       uint64_t offset,
       const DestinationBuffer& destination,
-      decrypt_1_2_cb _hidl_cb) override;
+      decrypt_1_2_cb _hidl_cb) override NO_THREAD_SAFETY_ANALYSIS; // use unique_lock
 
  private:
   WVDRM_DISALLOW_COPY_AND_ASSIGN_AND_NEW(WVCryptoPlugin);
 
   wvcdm::CdmSessionId mSessionId;
-  std::map<uint32_t, sp<IMemory> > mSharedBufferMap;
+  std::map<uint32_t, sp<IMemory> > mSharedBufferMap GUARDED_BY(mSharedBufferLock);
 
   sp<wvcdm::WvContentDecryptionModule> const mCDM;
 
@@ -73,6 +76,8 @@ struct WVCryptoPlugin : public ICryptoPlugin {
       const wvcdm::CdmDecryptionParameters& params,
       bool haveEncryptedSubsamples, std::string* errorDetailMsg);
   static void incrementIV(uint64_t increaseBy, std::vector<uint8_t>* ivPtr);
+
+  std::mutex mSharedBufferLock;
 };
 
 }  // namespace widevine
diff --git a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
index 563b7b44..dcbbff04 100644
--- a/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
+++ b/libwvdrmengine/mediacrypto/src_hidl/WVCryptoPlugin.cpp
@@ -108,6 +108,8 @@ Return<void> WVCryptoPlugin::setSharedBufferBase(
     const hidl_memory& base, uint32_t bufferId) {
   sp<IMemory> hidlMemory = mapMemory(base);
 
+  std::lock_guard<std::mutex> shared_buffer_lock(mSharedBufferLock);
+
   // allow mapMemory to return nullptr
   mSharedBufferMap[bufferId] = hidlMemory;
   return Void();
@@ -156,7 +158,7 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
     uint64_t offset,
     const DestinationBuffer& destination,
     decrypt_1_2_cb _hidl_cb) {
-
+    std::unique_lock<std::mutex> lock(mSharedBufferLock);
     if (mSharedBufferMap.find(source.bufferId) == mSharedBufferMap.end()) {
       _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0,
                "source decrypt buffer base not set");
@@ -227,6 +229,9 @@ Return<void> WVCryptoPlugin::decrypt_1_2(
     destPtr = static_cast<void *>(handle);
   }
 
+  // release mSharedBufferLock
+  lock.unlock();
+
   // Calculate the output buffer size and determine if any subsamples are
   // encrypted.
   size_t destSize = 0;