CVE-2026-22104

A type confusion vulnerability exists in the Android Runtime (ART) dex2oat ahead-of-time compiler affecting Android 12 through 15. When processing a specially crafted APK containing malformed DEX bytecode, the ART runtime incorrectly handles type resolution during compilation, allowing an attacker to corrupt the vtable of a managed object and redirect virtual method dispatch to attacker-controlled native code. Successful exploitation achieves remote code execution within the target application process context. Google TAG identified active exploitation by commercial spyware vendor Saito Tech (formerly Candiru) as Stage 1 of a 3-stage exploit chain targeting journalists, activists, and political dissidents in the Middle East and Southeast Asia. The crafted APK can be delivered via watering hole attacks, malicious ad injection leveraging the Sherlock ad-based delivery mechanism, or social engineering links.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-843

Threats tracking this CVE

• Android Exploit Chain — Saito Tech Commercial Spyware: ART Runtime RCE, Binder UAF LPE, Pixel Bootloader Persistence (CVE-2026-22104, CVE-2026-22107, CVE-2026-22112) — CRITICAL

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22104
• https://source.android.com/docs/security/bulletin/2026/2026-03-01
• https://blog.google/threat-analysis-group/
• https://citizenlab.ca/research/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
• https://www.recordedfuture.com/research/tracking-candirus-devilstongue-spyware
• https://www.theregister.com/2026/03/05/zero_day_attacks_enterprise_tech_record/

Markdown version · Threadlinqs Intelligence